The Mysterious Spanish Government Hackers Behind "The Mask"

For over a decade, a highly sophisticated hacking group known as Careto (or "The Mask") has been operating in the shadows, targeting governments, companies, and activists around the world. Now, new information has emerged about the group's origins and the government that likely stands behind its espionage activities.

Careto was first discovered by researchers at Kaspersky Lab in 2014, who described it as "one of the most advanced threats at the moment." The group's malware was capable of stealing highly sensitive data, including private communications, encryption keys, and even data from mobile devices.

What made Careto unique was its laser-like focus on certain targets, particularly the Cuban government. Kaspersky researchers found that Cuba had by far the most Careto victims of any country they identified. This, along with other clues in the malware code and targeting patterns, led Kaspersky's team to privately conclude that Careto was likely operated by the Spanish government.

Several former Kaspersky employees have now confirmed to TechCrunch that the researchers were highly confident Spain was behind Careto. However, the company chose not to publicly attribute the group to the Spanish government at the time, citing a "no attribution" policy.

Beyond Cuba, Careto also targeted victims in other countries with strategic importance to Spain, such as Morocco, Gibraltar, and Brazil - where Spain was pushing for a high-speed rail project. The group even exploited a vulnerability in Kaspersky's own antivirus software to aid its operations in Cuba, where the Russian firm dominated the market.

After Kaspersky's 2014 report blew the lid off Careto's activities, the group went dark. But in 2024, Kaspersky discovered the hackers had resurfaced, once again targeting organizations in Latin America and Africa. While the researchers couldn't definitively attribute the new attacks to the Spanish government, the tactics and tools used were strikingly similar to the original Careto operations.

Careto may not be a household name like other state-sponsored hacking groups, but its advanced capabilities and selective targeting make it one of the more intriguing government-backed threat actors to emerge in recent years. Spain's involvement, if confirmed, would place it among an elite club of Western nations known to conduct sophisticated cyber espionage operations.