- Hackers installed a 4G Raspberry Pi inside a Bank’s ATM -Switch to get network access
- The device was disguised and communicated every 600 seconds, which avoided typical detection systems
- Malware used fake linux names and unclear folders to mix in legitimate system activity
A criminal group recently tried an unusual and sophisticated penetration of a bank’s ATM infrastructure by implementing a 4G-enabled Raspberry Pi.
A report from Group-I-IB revealed that the device was hidden installed on a network switch used by the ATM system, placing it inside the internal banking environment.
The group behind the operation, UNC2891, utilized this physical access point to bypass digital circumference defense completely, illustrating how physical compromise can still exceed software -based protection.
Utilizing physical access to bypass digital defense
Raspberry Pi served as a hidden entry point with remote connection features via its 4G modem, which enabled sustained command and control access outside the institution’s network without triggering typically firewall or endpoint protection alarms.
“One of the most unusual elements of this case was the striker’s use of physical access to install a Raspberry PI device,” wrote Group-IB Senior Digital Forensics and Event Responses Specialist Nam Le Phuong.
“This device was directly connected to the same network switch as ATM, which effectively placed it inside the bank’s internal network.”
Using mobile data, attackers maintained a low -profile presence while the implemented custom malware and initiated lateral movements within the bank’s infrastructure.
A particular tool known as Tinshell was used to control network communication, enabling data to pass invisibly across multiple internal systems.
Forensics later revealed the UNC2891 used a layered approach to obscurity.
The Malware processes were named “Lightdm” that imitated legitimate Linux system processes.
These back doors run from atypical folders such as /TMP, causing them to mix with benign system functions.
The group also used a technique called Linux, binding assembly to hide process metadata from forensic tools, a method not typically seen in active attacks so far.
This technique has since been cataloged in the miter Att & CK framework because of its potential to avoid conventional detection.
Investigators discovered that the bank’s surveillance server taught silently with Raspberry Pi every 600 seconds, networking behavior that was subtle and thus not immediately standing out as malicious.
However, deeper memory analysis revealed the processes of misleading nature and that these communication is expanded to an internal mail server with sustained Internet access.
Even after the physical implant was removed, attackers had maintained access via this secondary vector, which showed a calculated strategy to ensure continuity.
Ultimately, the goal was to compromise on the ATM -switching server and implement the custom Rootkit Caketap, which can manipulate hardware security modules to authorize illegitimate transactions.
Such tactics would allow false cash withdrawals while appearing legitimate for the bank’s systems.
Fortunately, the penetration was stopped before this phase could be performed.
This incident shows the risks associated with the growing convergence of physical access tactics and advanced anti-association techniques.
It also reveals that in addition to remote hacking, insider threats or physical manipulation can facilitate identity theft and financial fraud.
