The Government of Spain, according to Techcrunch

In the world of cyberspiege, there are quite known names: Lazarus In North Korea, APT28 in Russia or APT41 In China. They are groups that, according to cybersecurity reports, operate with state support. Now, a new actor could join that list, and its origin would be especially striking: Spain. His name is Canea group that for years remained in the shadows and that has returned to the radar, According to Techcrunch Based on exemployed testimonies of the Kaspersky security firm.

This group It was discovered in 2014 by the Russian company, which baptized him as a mask after finding that term in the malware code. The word, a colloquial expression in Spanish that can be translated as “mask”, ended up nameing a campaign that, according to Kaspersky, stood out for its complexity and amplitude. The group would have deployed an arsenal of tools adapted to different platforms, including Windows, Macos and Linux, as well as indications of versions for Android and iOS, although the latter were not technically confirmed.

One of the most sophisticated cyberspage groups discovered by Kaspersky

Among the technical capabilities described by Kaspersky They appeared the theft of encrypted documents, SSH keys, VPN configurations, keyboard pulsations records, screenshots and interception of conversations by Skype (now extinct) and network traffic. Their attacks were distributed using mails Spear Phishingthat simulated pages of Spanish media like the country, the world or public. One of the most striking indications that analysts identified was the chain “Cagen1amar”, a deformation of the expression “I shit in the sea”, hides in the malware code.

Although Kaspersky never publicly attributed the authorship of the group to any state, several former employees of the company consulted by Techcrunch affirm that, internally, it was concluded that Careto operated under the commission of the Spanish government. “There was no doubt about that, at least not a reasonable (doubtful),” said one of them, while three other researchers supported that same hypothesis. The decision not to make it public would have been related to the internal policy of the company, which imposes strict restrictions on the formal attribution of attacks.

One of the starting points of the investigation was an attack on a government institution in Cuba, considered “zero patient”, according to the testimonies collected by Techcrunch. The presence of ETA members on the island at that time –According to information published by El País and mentioned in filtered diplomatic cables– I could have aroused the interest of the operation. The researchers also detected other objectives: there were victims in Brazil, in Morocco and in Gibraltar.

Illustration shared by Kaspersky

The global scope of the group was reflected in the Kaspersky Technical Report: infections were identified in at least 31 countries, with a total of 380 victims. The most affected were in Latin America, Europe and North Africa. Among the objectives, according to the same report, there were governments, embassies, diplomatic organisms, energy companies, research centers and activists.

After the publication of the report in 2014, the mask operators would have dismantled all the discovered infrastructure, deleting activity records and closing control and control servers, an unusual movement that, according to the researchers, evidences a technical capacity of highly trained groups.

The name was hidden in the code

A decade later, Kaspersky again detected activity linked to mask. In May 2024, the company announced that he had identified New infections in a Latin American organization that had already been attacked by the group at least in 2022 and 2019. There was also a trace of activity in a second victim in central Africa.

Georgy Kucherin and Marc Rivero, Kaspersky’s researchers signed by the new report, They assure that Current operations maintain the same degree of sophistication and caution that a decade ago. “His attacks are a masterpiece“Kucherin told Techcrunch, although he also clarified that, from a technical point of view, it is still impossible to confirm which government is really behind the group:” Most likely, it is a state actor, “he said, although he added that at a technical level it is impossible to know.

Neither the Spanish Ministry of Defense nor the Cuban government wanted to rule to date, according to Techcrunch. From Xataka, we have contacted both Kaspersky and the Ministry of Interior to collect an official assessment about the possible link with the Careto group. Kaspersky has responded to us that they do not usually comment on information based on anonymous sources, nor attribute the origin of cyber attacks to countries. At the time of publishing this article, the Interior Ministry had not responded.

Images | rawpixel.com | Layo Animals | Kaspersky

In Xataka | How to change all our passwords according to three cybersecurity experts