4G Raspberry Pi – Hackers Breach Bank ATM – Shocking

Hackers Plant 4G Raspberry Pi in Bank Network in Failed ATM Heist

Introduction – 4G Raspberry Pi

In late July 2025, a cybersecurity advisory by Group‑IB and corroborating coverage by several security outlets revealed a rare and audacious hybrid cyber‑physical attack: threat actor UNC2891 (also known as LightBasin) physically planted a 4G‑equipped Raspberry Pi inside a bank’s ATM network to enable fraudulent withdrawals. Though the heist ultimately failed, the incident marks a chilling evolution in sophisticated threat actor tactics, combining physical infiltration with advanced anti‑forensics and Linux rootkit techniques to evade detection infosecurity-magazine.com+15BleepingComputer+15YouTube+15.

Who Is UNC2891 / LightBasin?

UNC2891 is a financially motivated threat cluster that has operated since at least 2016, specializing in Unix/Linux and Oracle Solaris environments. Multiple security firms—including Mandiant (now under Google Cloud) and Group‑IB—have documented overlapping tooling and highly stealthy, long‑term campaigns used to attack Financial and Telecom sectors BleepingComputer+3Google Cloud+3LinkedIn+3.

In 2022, Mandiant published research introducing CAKETAP, a Unix kernel rootkit designed to snoop and manipulate Payment Hardware Security Module (HSM) communications—specifically the card and PIN verification messages—to authorize fraudulent cash withdrawals even on blocked transactions services.google.com+13Malwarebytes+13BleepingComputer+13.

Their broader toolset includes:

• TinyShell and Slapstick backdoors,

• network recon toolkits like SUN4ME,

• keyloggers (Winghook, Wingcrack),

• decryptors SteelCorgi, SteelHound,

• and cleanup utilities like MigloCleaner Cyware Labs+1netizen.net+1infosecurity-magazine.com+11Malwarebytes+11Google Cloud+11.

This level of operational capability and anti‑forensics sophistication points to a group deeply versed in financial systems, possessing strong OPSEC and low detection visibility The Hacker News+14Google Cloud+14Group-IB+14.

Anatomy of the Hybrid Attack – 4G Raspberry Pi

Physical Implantation of Raspberry Pi

According to Group‑IB, attackers physically infiltrated a bank branch—possibly using inside help or bribing an employee—and installed a small Raspberry Pi 4 with a 4G modem directly onto the same network switch handling ATM traffic. The device sat hidden, yet directly on the ATM switch, creating a covert network pivot point infosecurity-magazine.com+9BleepingComputer+9il blog della sicurezza informatica+9.

This unusual initial access method enabled bypassing the bank’s perimeter defenses entirely, as the Pi initiated outbound communications over cellular data, uncontested by traditional firewall or IDS systems The Hacker News+5BleepingComputer+5netizen.net+5.

Establishing Command & Control

Once connected, the Raspberry Pi hosted the TinyShell backdoor, which established an outbound C2 channel via a Dynamic DNS domain over the 4G link. This ensured persistent, remote access even if local connections were severed, and allowed lateral movement deeper into the bank’s infrastructure The Register+6BleepingComputer+6netizen.net+6.

Lateral Propagation and Blending In

Using the Pi as a pivot, the attackers progressed to the bank’s Network Monitoring Server, which offered broader connectivity throughout the bank’s data center. From here, they moved to a Mail Server with direct Internet access, enabling redundancy even if the Pi itself was discovered and removed The Register+3BleepingComputer+3il blog della sicurezza informatica+3.

To stay stealthy, they deployed backdoors named lightdm—a reference to the legitimate Linux LightDM display manager—making malicious processes look innocuous netizen.net+3BleepingComputer+3The Register+3.

Innovative Anti‑Forensics Techniques – 4G Raspberry Pi

Linux Bind Mount Abuse (MITRE T1564.013)

One of the most advanced stealth tactics was the use of bind mount abuse. Attackers mounted tmpfs or ext4 filesystems over /proc/[pid] paths of malicious processes. This disguised metadata and hidden processes from standard triage tools, effectively making them invisible Group-IB+4BleepingComputer+4il blog della sicurezza informatica+4.

Group‑IB highlighted this as a previously undocumented technique, now cataloged in MITRE ATT&CK as T1564.013 (Linux bind mount abuse) il blog della sicurezza informatica+8Group-IB+8LinkedIn+8.

Beaconing Behavior

Forensics showed that the Network Monitoring Server was beaconing every 600 seconds (10 minutes) to the Raspberry Pi on TCP port 929. This pattern confirmed the Pi’s role as a pivot host and indicated ongoing covert communication beneath the firewall perimeter BleepingComputer+1Group-IB+1.

The Intended Financial Impact: CAKETAP Rootkit Deployment

The attackers ultimately planned to install CAKETAP on the bank’s ATM switching server. This rootkit would intercept and spoof HSM responses to approve fraudulent ATM withdrawals by manipulating card and PIN verification messages. CAKETAP could permit unauthorized transactions even when systems flagged them as illegitimate Group-IB+11Malwarebytes+11The Hacker News+11.

CAKETAP also provided stealth: it hid connections, processes, and files, and could remove itself from module lists while rewriting kernel metadata to avoid detection Cyware Labs+2Malwarebytes+2The Hacker News+2.

Detection, Disruption & Aftermath – 4G Raspberry Pi

Discovery and Containment

Group‑IB identified anomalies inside the network—particularly the unexpected beaconing behavior—which triggered a deeper forensic investigation. Although the Pi was removed before CAKETAP was deployed, analysts discovered persistence via the mail server backdoor, which remained active post‑removal netizen.net+1LinkedIn+1.

Recovery & Lessons Learned

Despite interception before large‑scale fraud, an unknown amount of funds was reportedly withdrawn before containment. In one case, a subsequent news article noted that an Indonesian ATM did dispense cash before investigators shut the operation down, though precise figures remain undisclosed The RegisterThe Hacker News.

Why This Attack Matters – 4G Raspberry Pi

Evolving Threat Landscape

Most cyberattacks on financial infrastructure rely purely on remote access or malware deployment. This attack blends both physical and digital vectors, showing adversaries’ willingness to go “hands on keyboard and hands in the network closet” to achieve stealthy access with maximum impact BleepingComputer+1govinfosecurity.com+1.

Breaking Traditional Security Assumptions

Banks typically invest heavily in digital perimeter defenses. But this incident shows that low-cost hardware like a $35 Raspberry Pi and a $140 modem kit can bypass those measures entirely by relying on physical presence and cellular connectivity govinfosecurity.com.

It also underscores the critical importance of physical security controls and network visibility, especially for infrastructure components like ATM switches.

Advanced Anti‑Forensics

Using Linux bind mounts to conceal malicious executables and processes adds a new dimension of stealth that evades traditional memory and triage tools. Process listings may show nothing unusual even when malicious behavior is occurring netizen.net+7Group-IB+7WebProNews+7.

Recommendations for Defense

Based on Group‑IB’s findings and expert commentary:

1. Enhance physical access controls to critical ATM infrastructure; ensure secure enclosures and surveillance in areas hosting network switches.

2. Deploy network anomaly detection at the switch level, focusing on traffic to unusual destinations or ports (e.g., periodic beacons to cellular links).

3. Monitor outbound DNS and Dynamic DNS traffic, especially to mobile‑reachable domains.

4. Integrate memory forensics and high‑resolution process snapshot sampling to catch anti‑forensics tricks like bind mounts.

5. Regular endpoint integrity checks on servers like ATM switches, Network Monitoring Servers, and Mail Servers.

6. Audit internal asset inventory and endpoint connectivity to detect unexpected devices connected to core infrastructure.

Broader Threat Landscape & Context

UNC2891’s History

• Active since at least 2016, credibly linked to earlier campaigns targeting telecom and financial systems.

• Exposure via Mandiant/Google’s 2022 report on CAKETAP and coverage of UC cluster overlap with UNC1945/LightBasin.

• Known for using robust backdoors (TinyShell, Slapstick), recon tools (SUN4ME), keyloggers, and carefully crafted anti‑forensics utilities infosecurity-magazine.com+9Group-IB+9LinkedIn+9BleepingComputer+1il blog della sicurezza informatica+1Onsite Computing, Inc.+13Google Cloud+13The Hacker News+13.

Historical Precedents

• The 2022 exposure of CAKETAP was already a milestone in ATM fraud malware recognition.

• But this 2025 hybrid implant attack represents a step-change, combining hardware, cellular networking, anti-forensics, and multi-layer persistence in a single campaign MalwarebytesGroup-IBBleepingComputerThe Hacker News.

Conclusion

The thwarted UNC2891 attack using a 4G‑equipped Raspberry Pi plugged into an ATM switch marks a watershed moment in cybersecurity for financial institutions. For the first time, we see hybrid cyber‑physical intrusion with advanced anti‑forensics, designed to sit undetected within deep infrastructure and bypass standard digital defenses.

While CAKETAP was never deployed, the implications are severe. This represents a shift towards attackers blending digital and physical methods—forcing defenders to rethink traditional security approaches and expand into physical surveillance, IoT device control, and deeper endpoint forensics.

Financial institutions and defenders must remain vigilant. That means expanding security programs to include physical device monitoring, aggregate network anomaly detection, and robust process and memory inspection to defeat stealthy techniques like bind mount abuse. In the age of the ultra‑affordable Raspberry Pi, attackers can bring powerful attack platforms into heavily secured environments—if defenders don’t keep pace, tomorrow’s high‑impact breach could start just like this one.

References/Sources

• UNC2891 ATM network breach using Raspberry Pi and rootkits Group-IB+8BleepingComputer+8netizen.net+8YouTube+4il blog della sicurezza informatica+4LinkedIn+4

• Group‑IB’s investigation and deep dive report into UNC2891’s tactics govinfosecurity.com+2Group-IB+2Google Cloud+2

• Mandiant’s 2022 exposure of CAKETAP rootkit and UNC2891 history LinkedIn

• Analysis of novel anti‑forensics technique (bind mount abuse) via Ars Technica, HackerNews, etc. Ars TechnicaThe Hacker NewsWebProNewsinfosecurity-magazine.com

Hackers Use 4G Raspberry Pi to Bypass Bank Security (Video)

Related Videos:

Related Posts:

Rising from the Ashes: Why I Chose to Rebuild Myself Through Advocacy

Cutting Off Toxic Parents: Honoring Without Sacrificing Yourself

Kingston Police’s Drone Surveillance for Distracted Driving Sparks Legal and Privacy Concerns

Corporate injustice at Magna International – Lee v. Magna International Inc., 2022 ONCA 32

The Rise of Human Stupidity and Its Impacts

Your PC’s a Mess. Here’s the 10-Minute Windows Cleanup Anyone Can Do

China’s Rare Earths Weapon Could Kill Europe’s Auto Industry

Goodbye to Trust in Elon Musk: The Self-Driving Tesla That Crashed a Dummy Child—and the Real Safety Crisis Behind It

Samsung Galaxy Z Fold6 Review: Why It Beats Apple and Redefines the Smartphone in 2025

Bad News If You Bought a Tesla: “New” Cars May Not Be As New As You Think