ATM Heist Foiled: Hackers Used 4G Raspberry Pi

In a high-tech twist on an old-school bank heist, a group of sophisticated hackers planted a 4G-enabled Raspberry Pi inside a bankโ€™s internal network in an attempt to loot its ATMs. But thanks to sharp-eyed investigators, the heist was stopped just in time before any financial damage occurred.

Cybersecurity firm Group-IB uncovered a sophisticated intrusion attempt by UNC2891 (aka LightBasin), a financially motivated threat group known for its attacks on banks and telecommunication systems worldwide since 2016. This time, however, the group demonstrated a new level of operational sophistication.

A Physical Break-In Meets Digital Intrusion

At the heart of the attack was a Raspberry Piโ€”a credit-card-sized computer equipped with a 4G modem. This device was physically installed on the same network switch as the ATM system, bypassing the bankโ€™s firewalls and perimeter defenses via mobile data. It hosted malware and served as a command-and-control node for the attackers, allowing them to move deeper into the network undetected.

Group-IB suspects the hackers either infiltrated the premises themselves or paid off an insider to plant the device.

A Network Under Siege

Once inside, the device hosted a TinyShell backdoor, which established a persistent command-and-control (C2) channel using Dynamic DNS.

From the compromised switch, attackers laterally moved to the Network Monitoring Server, a critical system with connections to almost every other server in the bankโ€™s data center. Once that was under their control, they used it to access the Mail Server, which had direct internet access. Even if the Raspberry Pi was discovered, they had a backup route to keep their foothold.

To evade detection, the attackers employed an undocumented Linux anti-forensics technique using bind mounts (now recognized in MITRE ATT&CK T1564.013) to obscure malicious processes.

The backdoor was disguised as a legitimate system process named lightdmโ€”a known Linux display manager, and executed from non-standard paths like /tmp/lightdm.

Another factor that contributed to the attack’s high degree of stealth was LightBasin mountingย alternative filesystems (like tmpfs and ext4) over critical system paths, successfully hiding the backdoorโ€™s process data from standard forensic tools.

The attackersโ€™ objective was to plant a custom rootkit named CAKETAP on the bankโ€™s ATM switching serverโ€”a critical system that communicates with the bankโ€™s Hardware Security Module (HSM), a device that authorizes ATM transactionsโ€”allowing the hackers to spoof ATM authorization for fraudulent withdrawals and potentially siphon off large sums of cash.

Thankfully, Group-IB detected the operation before this could be achieved.

A Wake-Up Call For The Banking Sector

The incident is a rare but chilling example of how cybercriminals are blending physical access with remote exploitation, making them both difficult to detect and challenging to contain.

Group-IB is urging financial institutions to bolster both their physical and digital security, with recommendations such as:

  • Locking down physical access to network switches, especially near ATM infrastructure.
  • Monitoring for unusual filesystem activity, especially the mounting of /proc
  • Capturing memory images during incident responseโ€”not just disk snapshots.
  • Blocking or flagging binaries that execute from suspicious paths like /tmp or .snapd.

This incident highlights how a low-cost device like a Raspberry Pi can bypass million-dollar defenses if physical access is overlooked. Itโ€™s a stark reminder that digital defense must account for physical vulnerabilities tooโ€”because even a small hardware can pose a serious threat if placed in the wrong hands.

 

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!
spot_img

Read More

Suggested Post