In a high-tech twist on an old-school bank heist, a group of sophisticated hackers planted a 4G-enabled Raspberry Pi inside a bankโs internal network in an attempt to loot its ATMs. But thanks to sharp-eyed investigators, the heist was stopped just in time before any financial damage occurred.
Cybersecurity firm Group-IB uncovered a sophisticated intrusion attempt by UNC2891 (aka LightBasin), a financially motivated threat group known for its attacks on banks and telecommunication systems worldwide since 2016. This time, however, the group demonstrated a new level of operational sophistication.
A Physical Break-In Meets Digital Intrusion
At the heart of the attack was a Raspberry Piโa credit-card-sized computer equipped with a 4G modem. This device was physically installed on the same network switch as the ATM system, bypassing the bankโs firewalls and perimeter defenses via mobile data. It hosted malware and served as a command-and-control node for the attackers, allowing them to move deeper into the network undetected.
Group-IB suspects the hackers either infiltrated the premises themselves or paid off an insider to plant the device.
A Network Under Siege
Once inside, the device hosted a TinyShell backdoor, which established a persistent command-and-control (C2) channel using Dynamic DNS.
From the compromised switch, attackers laterally moved to the Network Monitoring Server, a critical system with connections to almost every other server in the bankโs data center. Once that was under their control, they used it to access the Mail Server, which had direct internet access. Even if the Raspberry Pi was discovered, they had a backup route to keep their foothold.
To evade detection, the attackers employed an undocumented Linux anti-forensics technique using bind mounts (now recognized in MITRE ATT&CK T1564.013) to obscure malicious processes.
The backdoor was disguised as a legitimate system process named lightdmโa known Linux display manager, and executed from non-standard paths like /tmp/lightdm.
Another factor that contributed to the attack’s high degree of stealth was LightBasin mountingย alternative filesystems (like tmpfs and ext4) over critical system paths, successfully hiding the backdoorโs process data from standard forensic tools.
The attackersโ objective was to plant a custom rootkit named CAKETAP on the bankโs ATM switching serverโa critical system that communicates with the bankโs Hardware Security Module (HSM), a device that authorizes ATM transactionsโallowing the hackers to spoof ATM authorization for fraudulent withdrawals and potentially siphon off large sums of cash.
Thankfully, Group-IB detected the operation before this could be achieved.
A Wake-Up Call For The Banking Sector
The incident is a rare but chilling example of how cybercriminals are blending physical access with remote exploitation, making them both difficult to detect and challenging to contain.
Group-IB is urging financial institutions to bolster both their physical and digital security, with recommendations such as:
- Locking down physical access to network switches, especially near ATM infrastructure.
- Monitoring for unusual filesystem activity, especially the mounting of /proc
- Capturing memory images during incident responseโnot just disk snapshots.
- Blocking or flagging binaries that execute from suspicious paths like /tmp or .snapd.
This incident highlights how a low-cost device like a Raspberry Pi can bypass million-dollar defenses if physical access is overlooked. Itโs a stark reminder that digital defense must account for physical vulnerabilities tooโbecause even a small hardware can pose a serious threat if placed in the wrong hands.
