Image by Christina @ wocintechchat.com on Unsplash
In a breach that blends physical intrusion with cutting-edge malware, hackers planted a Raspberry Pi connected to a 4G modem inside the network of an unnamed bank—putting them one step away from compromising the bank’s ATM system. Cybersecurity firm Group-IB revealed the new tactic in a report released Wednesday, calling it an “unprecedented” method of bypassing digital perimeter defenses by using a physical device.
A Raspberry Pi Deep Inside the Bank’s Network
The attackers managed to access the same network switch used by the bank’s ATM system, effectively placing their Raspberry Pi deep within the bank’s internal infrastructure. Outfitted with a 4G modem, the device offered remote connectivity via mobile data—without relying on the bank’s internet access.
Image by Claudio Schwarz on Unsplash
The heist attempt was linked to UNC2891, a financially motivated cybercrime group tracked since at least 2017. This group is known for deploying custom malware targeting Linux, Unix, and Oracle Solaris systems. According to Group-IB, the goal of this attack was to gain control over the bank’s ATM switching server and eventually manipulate its hardware security module—an ultra-secure device that stores banking credentials and runs cryptographic operations.
Malware Hidden in Plain Sight
The Raspberry Pi wasn’t acting alone. UNC2891 had also compromised an internal mail server, which had reliable internet access. Both the mail server and the Raspberry Pi communicated with each other using the bank’s own network monitoring server as an intermediary, taking advantage of the server’s privileged access to the rest of the data center.
Group-IB’s investigators first noticed irregular activity coming from the monitoring server. It was pinging outbound every 10 minutes and trying to connect to an unknown device. Using forensic tools, researchers traced the connections to the Raspberry Pi and the mail server but couldn’t identify which system processes were responsible. That was the first sign that something wasn’t right.
Disguised Malware and a Novel Use of Bind Mounts
The malware was camouflaged. One backdoor process masqueraded as “lightdm”, mimicking a standard display manager in Linux systems. To look legitimate, it even used fake command-line arguments like lightdm --session child 11 19. But researchers became suspicious when they found the LightDM binary in an odd file location.
After deeper memory analysis, investigators found that UNC2891 had used a technique never before seen in cyberattacks: the Linux “bind mount.” Normally a tool used in system administration, this trick effectively hid the malware’s true nature from forensic tools. It functioned somewhat like a rootkit, making it nearly invisible even on close inspection.
Group-IB has since documented the technique in the MITRE ATT&CK framework under the tag T1564.013 – Hide Artifacts: Bind Mounts.
How Close Did They Get?
Fortunately, the attack was caught before UNC2891 could complete its endgame. The cybercriminals were shut out before deploying a known backdoor called CakeTap into the ATM switching system. That rootkit, identified previously by Google’s Mandiant division, can intercept and manipulate ATM traffic—essentially allowing for unauthorized transactions using fake bank cards.
In past cases, Mandiant reported that UNC2891 remained undetected inside some bank networks for years. In this attack, however, the breach was discovered and neutralized in time.
Bigger Picture
Image by Fernando Hernandez on Unsplash
What makes this intrusion notable is how it combined physical devices, advanced malware obfuscation, and novel Linux-based techniques to create persistent, covert access within a banking institution. According to Group-IB’s Nam Le Phuong, “This device was connected directly to the same network switch as the ATM, effectively placing it inside the bank’s internal network.”
The fact that the attackers physically inserted a cheap, portable computing device into a critical financial network speaks to the evolving nature of threats facing financial institutions. It’s not just about firewalls and encryption anymore—sometimes the threat walks through the front door and plugs into the network switch.
As of now, Group-IB hasn’t disclosed which bank was targeted or how the Raspberry Pi was physically planted.
But the message is clear: old-school physical access, paired with ultra-modern malware, is a potent combo that even some of the most secure institutions may not be fully prepared for.
Keywords: Raspberry Pi, Bank Hack, UNC2891, ATM System Breach, Group-IB, Linux Malware, Bind Mounts, Digital Forensics, ATM Switch, Financial Cybercrime.
