Kaspersky initially discovered the cyber espionage group called Careto in 2014. This group has faced increased public scrutiny, in part due to their highly advanced cyber operations. According to some sources, Careto, a Spanish speaking group, appears to have links to the Spanish government. This leads to lingering questions about state-sponsored cyber activity. This short-lived hacking collective has left an outsized impact internationally. Their malware has been found in 31 countries on five continents, especially prevalent on targets in Cuba, Europe and the African continent.
Careto’s malware exhibited advanced capabilities, enabling hackers to remotely activate a computer’s microphone, steal sensitive files, and capture session cookies. The group’s long-standing interest in Cuba is significant because, among other things, it corresponds to the significant presence of ETA members in the island. By the end of 2013, some 15 ETA members resided in Cuba, allegedly with the host government’s consent. This suggests that Careto might have deliberately selected its targets to avoid the political fallout.
The Reach of Careto’s Malware
Kaspersky’s investigation found that Careto’s malware was most concentrated in North Africa. In addition to Morocco, the Arab Spring affected Algeria, Tunisia, and Libya. In Europe, the gang focused efforts on hundreds of victims in France, Spain, and the United Kingdom. The malware’s widespread impact, including 71 total compromise detections in Ukraine lands alone, represents a clear attempt to disrupt systems in various geopolitical environments.
In Central Africa, Careto went after a second, unidentified organization. This means that its actions reach far past special geographic limits. Georgy Kucherin, a researcher at Kaspersky, described Careto’s attacks as “a masterpiece,” emphasizing the group’s technical prowess and strategic planning.
The group’s demonstrated skills to infiltrate and undermine systems have alarmed cybersecurity professionals and the federal government’s Homeland Security agency, among others. With that sort of extreme caution in their cyber attacks, Careto has succeeded in staying hidden for years. Yet what the most recent operations did expose was “small but fatal mistakes,” which are now being looked at with a more scrutinizing eye by security analysts.
Attribution and Analysis
Former employees at Kaspersky have indicated with high confidence that Careto functions as a nation-state-backed operation. One former employee stated, “There was no doubt of that, at least no reasonable [doubt].” And yet, even with this newfound rhetorical confidence, Kaspersky continued to sit on the sideline when it came to formally attributing cyber activity to specific actors.
Mai Al Akkad, a spokesperson for Kaspersky, reiterated this position: “We don’t engage in any formal attribution.” More perspective from former TTP researchers indicates that the early evidence leaning towards a nation-state actor is strong. Georgy Kucherin, FSU, stated, “It’s no doubt a nation state. Beyond that, he accepted the difficulty in technically identifying who created the malware beyond a reasonable doubt.
Finally, Kucherin commented that though Careto has traditionally shown discretion, they have recently made large blunders. He noted that such mistakes can offer important clues for investigators trying to piece together the group’s potential organizational structure.
Operational Tactics
More impressive than the mission-focused technology released by Careto are the operational tactics used by Careto. As soon as Kaspersky revealed their operation, the hackers panicked and destroyed all of the infrastructure. During operations they scrubbed their logs with extreme precision, an action that would be unprecedented among hacktivist groups. This level of preparedness is a testament to true awareness and comprehension of cybersecurity protocols. It further exposes the lengths to which Careto will go to protect their own tracks.
A former Kaspersky employee described the dismantling of Careto’s infrastructure: “They systematically, and in a quick manner, destroyed the whole thing, the whole infrastructure. Boom. It was just gone.” This swift response reveals that Careto was highly organized and expected investigations to ensue in the aftermath of their cyber incursions.
The malware itself had an interesting twist — a code string with the name “Caguen1aMar,” a Spanish-language contraction of a popular curse. This final piece of information deepens the mystery and all the more complicates attempts to discern Careto’s identity and intentions.