- Hackers installed a 4G Raspberry Pi inside a bank’s ATM switch to gain network access
- The device was disguised and communicated every 600 seconds, avoiding typical detection systems
- Malware used fake Linux names and obscure directories to blend into legitimate system activity
A criminal group recently attempted an unusual, and sophisticated intrusion, into a bank’s ATM infrastructure by deploying a 4G-enabled Raspberry Pi.
A report from Group-IB revealed the device was covertly installed on a network switch used by the ATM system, placing it inside the internal banking environment.
The group behind the operation, UNC2891, exploited this physical access point to circumvent digital perimeter defenses entirely, illustrating how physical compromise can still outpace software-based protection.
Exploiting physical access to bypass digital defenses
The Raspberry Pi served as a covert entry point with remote connectivity capabilities via its 4G modem, which allowed persistent command-and-control access from outside the institution’s network, without triggering typical firewall or endpoint protection alerts.
“One of the most unusual elements of this case was the attacker’s use of physical access to install a Raspberry Pi device,” Group-IB Senior Digital Forensics and Incident Response Specialist Nam Le Phuong wrote.
“This device was connected directly to the same network switch as the ATM, effectively placing it inside the bank’s internal network.”
Using mobile data, the attackers maintained a low-profile presence while deploying custom malware and initiating lateral movements within the bank’s infrastructure.
A particular tool, known as TinyShell, was used to control network communications, enabling data to pass invisibly across multiple internal systems.
Forensics later revealed UNC2891 used a layered approach to obfuscation.
The malware processes were named “lightdm,” imitating legitimate Linux system processes.
These backdoors ran from atypical directories such as /tmp, making them blend in with benign system functions.
Also, the group used a technique known as Linux bind mounts to hide process metadata from forensic tools, a method not typically seen in active attacks until now.
This technique has since been cataloged in the MITRE ATT&CK framework due to its potential to elude conventional detection.
The investigators discovered that the bank’s monitoring server was silently communicating with the Raspberry Pi every 600 seconds, network behavior which was subtle and thus didn’t immediately stand out as malicious.
However, deeper memory analysis revealed the deceptive nature of the processes and that these communications extended to an internal mail server with persistent internet access.
Even after the physical implant was removed, the attackers had maintained access via this secondary vector, showing a calculated strategy to ensure continuity.
Ultimately, the aim was to compromise the ATM switching server and deploy the custom rootkit CAKETAP, which can manipulate hardware security modules to authorize illegitimate transactions.
Such a tactic would allow fraudulent cash withdrawals while appearing legitimate to the bank’s systems.
Fortunately, the intrusion was halted before this phase could be executed.
This incident shows the risks associated with the growing convergence of physical access tactics and advanced anti-forensic techniques.
It also reveals that beyond remote hacking, insider threats or physical tampering can facilitate identity theft and financial fraud.
