Analysis

Internal conviction among Kaspersky researchers, dating back to the 2014 discovery of the hacking group Careto, attributed its sophisticated cyber-espionage operations to the Spanish government, although Kaspersky maintained a public policy of no formal attribution. Careto, named after a Spanish slang term found in its malware, was described as one of the most advanced threats at the time, capable of exfiltrating highly sensitive data, including private conversations and keystrokes, from government institutions and private companies globally. The initial investigation was notably sparked by the targeting of a Cuban government institution, a region where Basque terrorist group ETA members were present, aligning with Spain's geostrategic interests, alongside other targets like Gibraltar and Brazil. Despite dismantling its infrastructure post-discovery in 2014, Careto re-emerged by 2024, with Kaspersky identifying new attacks leveraging similarly complex malware against organizations in Latin America and Central Africa, some of which were previous victims. Current Kaspersky analysis reaffirms Careto's high level of sophistication, describing its recent attacks as a 'masterpiece' in complexity, likely state-sponsored, though still without public government attribution. The group's tactics included spearphishing with links impersonating Spanish newspapers and exploiting vulnerabilities, including one in Kaspersky's own antivirus software, which ironically aided its discovery due to Kaspersky's dominant market share in Cuba.