https://www.group-ib.com/blog/unc2891-bank-heist
A sophisticated cybercriminal group successfully executed a physical network intrusion using a Raspberry Pi device to steal cash from an Indonesian ATM, demonstrating a new level of coordination between digital expertise and physical infiltration tactics. Group-IB researchers revealed that the attack, which occurred in Q1 2024, involved the threat cluster UNC2891 paying “runners” to physically plant the compact computing devices directly onto the bank’s network infrastructure, bypassing traditional perimeter security measures that focus primarily on digital intrusion attempts.
The attack methodology showcased advanced technical capabilities, with criminals connecting a Raspberry Pi equipped with a 4G modem to a bank network switch that was connected to the targeted ATM. This physical access granted the attackers remote connectivity to the bank’s internal network, allowing them to deploy a backdoor called Tinyshell that established persistent access through command-and-control channels and dynamic DNS domains. The group employed sophisticated obfuscation techniques, including disguising their backdoor to appear as the legitimate LightDM display manager commonly used by Linux systems, and utilizing previously undocumented Linux bind mount techniques to hide malicious processes from detection.
UNC2891, which has been active since 2017 and has connections to other threat groups including UNC1945/LightBasin, MustangPanda, and RedDelta, successfully withdrew cash from the compromised ATM before the attack was mitigated several days later. The criminals maintained redundant access by also compromising the bank’s mail server, ensuring continued network connectivity even if the Raspberry Pi was discovered and removed. While defenders ultimately prevented the group from deploying their ultimate payload, the “Caketap” rootkit designed to spoof authorization messages for further cash withdrawals, the incident highlights the evolving threat landscape where cybercriminals combine traditional hacking skills with physical infiltration tactics to defeat conventional security measures.