A sophisticated and alarming cyber-physical attack has been uncovered, where a financially motivated threat group successfully breached a bank’s ATM network by physically installing a 4G-equipped Raspberry Pi device. The incident, brought to light by cybersecurity firm Group-IB, highlights a dangerous new evolution in cybercrime that combines physical access with advanced anti-forensics techniques.
The attackers, a group known as UNC2891, managed to place the small, credit-card-sized computer on a network switch that was shared with an ATM. The device, equipped with a 4G modem, created a persistent backdoor into the bank’s internal network, completely bypassing traditional perimeter firewalls and digital defenses. This allowed the hackers to maintain remote control over the compromised network via a mobile data connection.
According to Group-IB’s report, the attackers’ goal was to move laterally through the network to reach the bank’s ATM switching server. Their ultimate objective was to deploy a custom rootkit, dubbed CAKETAP, which is designed to manipulate hardware security module (HSM) responses. By spoofing these authorization messages, the attackers could have facilitated unauthorized cash withdrawals, a type of attack known as “jackpotting.”
The attack was exceptionally stealthy, employing an undocumented anti-forensics technique that abused Linux bind mounts. This method allowed the group to hide their malware, a custom backdoor called TINYSHELL, from standard process listings. Initial forensic analysis failed to detect the intrusion, and it was only through deep memory and network analysis that investigators uncovered the hidden processes and the device’s outbound communication to a command-and-control server.
While the campaign was ultimately thwarted before the group could inflict any significant financial damage, the incident serves as a critical warning to financial institutions. It demonstrates that relying solely on digital security measures is no longer sufficient. Banks must now also address the physical vulnerabilities of their infrastructure, securing network points and hardware that could be targeted by threat actors. This breach underscores the growing need for a overall security approach that integrates both physical and cyber defenses to protect against increasingly inventive and determined criminals.
