Cuba Cyber Tour
Government, military, and state enterprise infrastructure assessment — from GAESA's $18 billion conglomerate to unauthenticated APIs leaking citizen data.
The military runs the economy. We mapped the infrastructure they forgot to lock.
About This Investigation
Two-phase OSINT assessment of Cuban government infrastructure. V1 (January 2026) documented 131 .gob.cu domains across 20 categories — presidency, ministries, military, state media, infrastructure, judiciary, and state enterprises. V2 (March 2026) expanded to 2,052 domains via certificate transparency and DNS enumeration, uncovering the GAESA military conglomerate's digital footprint, a catastrophic single-point-of-failure software vendor (Guajiritos S.R.L.), and unauthenticated APIs exposing tens of thousands of payment records with customer PII. All data obtained passively through Tor multi-node rotation — no exploitation, no authentication required.
GAESA: The Military Runs the Internet Too
GAESA (Grupo de Administración Empresarial S.A.) is the Cuban military's business conglomerate, controlling an estimated 40% of the national economy and 95% of foreign currency transactions. Of 42 subsidiaries probed, 34 have zero DNS records — total digital opacity. But the 20% that are online share a single software vendor, a single SSL certificate, and a single set of unauthenticated APIs. One company — Guajiritos S.R.L. — builds and operates all tourism IT for 20+ GAESA companies. A compromise of Guajiritos means a compromise of Cuba's entire tourism booking infrastructure, military marinas, medical tourism, and rental car fleet.
GAESA Tourism Network
7 companies, 1 SSL certificate, shared everything
| Company | Domain | Role |
|---|---|---|
| Havanatur S.A. | *.havanatursa.com | Main booking platform (12 API subdomains) |
| Grupo Cubanacan | *.grupocubanacan.com | Tourism group |
| Marinas Gaviota S.A. | *.marinasgaviotasa.com | Military marina / nautical tourism |
| Cubanacan S.A. | *.cubanacansa.com | Tourism operator |
| Okaturs | *.okaturs.com | Tourism operator |
| CIS La Pradera | *.cislapradera.com | Medical tourism / International Health Center |
| Ofertas Travel | *.ofertastravel.com | Tourism operator |
Critical Findings
Data exposed without authentication across Cuban government and military infrastructure
| Finding | Source | Impact |
|---|---|---|
| 31,684 payment records with customer PII | GAESA tourism APIs | 13,800+ emails, 27,500+ phone numbers |
| Full rental car fleet inventory | Havanatur API | 156 vehicles, pricing, availability |
| 805 bank branches with GPS coordinates | Banco Central API | Complete financial infrastructure map |
| Triple exchange rate system exposed | Banco Central API | Official, informal, and crypto rates |
| 5,313 student records with national IDs | UCLV GitLab | Full PII: names, CI numbers, enrollment data |
| Laravel APP_KEY + DB credentials | UCLV GitLab commits | Remote code execution capability |
| Bcrypt password hashes | UCLV GitLab | Credential theft risk |
| OpenID Connect password grant | UCLV auth system | Direct password authentication endpoint |
| ETECSA employee PII in SSL cert | Certificate transparency | Internal organizational data leak |
| WordPress user enumeration (14 accounts) | Health, education, media .gob.cu | Gravatar hashes, login targets |
| MINFAR military HQ GPS coordinates | Public metadata | Avenida Independencia, La Habana 10400 |
| 12 Google Analytics IDs mapped | Government websites | Cross-site tracking and relationship mapping |
Credentials & Secrets
Exposed credentials, password hashes, API keys, and PII across both assessments
V1 — Government Infrastructure Collection
131 domains across 20 categories — January 2026
V2 — GAESA & Deep Infrastructure
2,052 domains — military conglomerate, university GitLab, banking APIs — March 2026