Raspberry Pi Posed as System Administrator and Fooled a Major Bank
A device with a 4G modem was connected to an ATM switch to enable remote access.
A device with a 4G modem was connected to an ATM switch to enable remote access.
Hackers installed a Raspberry Pi mini-computer with a 4G modem inside a bank’s internal network to gain remote access to the ATM system and attempt to steal money. This was reported by researchers from Group-IB. According to them, this tactic allowed the attackers to completely bypass the perimeter security and stealthily infiltrate the bank’s critical infrastructure.
The device was connected to the same network switch as the ATM system, effectively giving the hackers direct access to the bank’s internal network. The ultimate goal of the attack was to compromise the ATM switch server and gain control over the hardware security module — a specialized device that stores cryptographic keys and performs encryption and signing operations.
The attack was attributed to the well-known cybercriminal group UNC2891, active since 2017 and specializing in infiltrating banking infrastructures using custom malware targeting Linux, Unix, and Solaris systems. Previously, Mandiant experts documented how this group remained hidden inside a bank's network for years by deploying the CakeTap rootkit. This program enabled them to intercept messages within the ATM network, seemingly to organize unauthorized cash withdrawals using fake cards.
In the latest attack, the criminals employed another unusual technique — disguising the malware using the bind mount mechanism, commonly used in Linux system administration. This technology allows one directory to be “bound” to another and was used here to conceal traces of a malicious process running under the guise of a legitimate LightDM system component. The program mimicked legitimate process parameters to confuse analysts during the investigation.
In addition to the Raspberry Pi, the group also compromised the bank’s mail server — the only system with constant internet access. Both devices communicated through an intermediary monitoring server that had access to all other servers in the data center. Suspicious activity on this server helped Group-IB researchers detect anomalies and launch an investigation. One of the warning signs was outbound connections every 10 minutes to an unknown device.
Forensics revealed that the malware’s stealth techniques were so effective that even advanced tools couldn’t determine which process had initiated the connections. Only by analyzing a memory dump were investigators able to identify the disguised process.
Experts have since added the bind mount technique to the MITRE ATT&CK framework under the ID T1564.013. Despite the attack’s complexity, the malicious infrastructure was detected and neutralized before the hackers could achieve their goal — deploying the CakeTap rootkit into the ATM network. Nevertheless, the incident serves as a clear example of how the combination of physical intrusion and advanced obfuscation techniques can bypass even the most modern security measures.
