UNC2891 Cyberattack – Hackers Infiltrate ATMs via Raspberry Pi Network Installation

Cybersecurity researchers have uncovered a sophisticated attack campaign by the UNC2891 threat group that used physical hardware installation and advanced anti-forensics techniques to target banking infrastructure.

The financially motivated attackers deployed a previously undocumented method now recognized in the MITRE ATT&CK framework as T1564.013, demonstrating how traditional cybersecurity defenses can be circumvented through innovative approaches.

Physical Network Compromise Through Embedded Hardware

The attack’s most distinctive element involved the physical installation of a Raspberry Pi device directly connected to the same network switch as ATM systems, effectively placing the malicious hardware inside the bank’s internal network perimeter.

The device was equipped with a 4G modem, enabling remote access through mobile data connections that completely bypassed traditional firewall protections.

Using the TINYSHELL backdoor, attackers established persistent command-and-control channels via Dynamic DNS domains, maintaining continuous external access to ATM networks.

The setup created outbound beaconing every 600 seconds, with repeated connection attempts to the Raspberry Pi on port 929, though initial forensic analysis failed to identify corresponding process IDs or suspicious activities.

Advanced Anti-Forensics Technique Evades Detection

The campaign’s stealth relied heavily on Linux bind mount abuse, a technique that hides backdoor processes from conventional detection tools.

Attackers deployed backdoors masquerading as legitimate processes, specifically naming malicious binaries “lightdm” to mimic the authentic LightDM display manager found on Linux systems.

The processes executed with command-line arguments resembling legitimate parameters, such as “lightdm –session child 11 19,” to deceive forensic analysts.

Standard forensic triage tools repeatedly failed to detect these backdoors because the attackers leveraged bind mounts to obscure process visibility.

Memory forensics revealed suspicious processes located in unusual directories like /tmp/lightdm and /var/snap/.snapd/lightdm, with mount commands showing tmpfs and ext4 filesystems mounted over process directories.

Target and Impact Assessment

Group-IB’s investigation revealed that the ultimate objective was compromising ATM switching servers to deploy CAKETAP, a rootkit designed to manipulate Hardware Security Module (HSM) responses and spoof authorization messages for fraudulent cash withdrawals.

The Network Monitoring Server served as a critical pivot point, providing connectivity to virtually every server within the targeted data center.

The multi-pivot access path combined physical hardware placement, network infiltration, and infrastructure control, making containment particularly challenging.

Even after discovering and removing the Raspberry Pi, attackers maintained internal access through backdoors on Mail Servers with direct internet connectivity.

Cybersecurity experts recommend monitoring mount and umount syscalls, alerting on /proc/[pid] mounted to tmpfs, blocking binaries executing from temporary directories, physically securing network infrastructure, and incorporating memory forensics into incident response procedures.

This case demonstrates that comprehensive security strategies must address both physical and logical access vectors in critical infrastructure environments.