In a high-tech twist on an old-school bank heist, a group of sophisticated hackers planted a 4G-enabled Raspberry Pi inside a bank’s internal network in an attempt to loot its ATMs. But thanks to sharp-eyed investigators, the heist was stopped just in time before any financial damage occurred.
Cybersecurity firm Group-IB uncovered a sophisticated intrusion attempt by UNC2891 (aka LightBasin), a financially motivated threat group known for its attacks on banks and telecommunication systems worldwide since 2016. This time, however, the group demonstrated a new level of operational sophistication.
A Physical Break-In Meets Digital Intrusion
At the heart of the attack was a Raspberry Pi—a credit-card-sized computer equipped with a 4G modem. This device was physically installed on the same network switch as the ATM system, bypassing the bank’s firewalls and perimeter defenses via mobile data. It hosted malware and served as a command-and-control node for the attackers, allowing them to move deeper into the network undetected.
Group-IB suspects the hackers either infiltrated the premises themselves or paid off an insider to plant the device.
A Network Under Siege
Once inside, the device hosted a TinyShell backdoor, which established a persistent command-and-control (C2) channel using Dynamic DNS.
From the compromised switch, attackers laterally moved to the Network Monitoring Server, a critical system with connections to almost every other server in the bank’s data center. Once that was under their control, they used it to access the Mail Server, which had direct internet access. Even if the Raspberry Pi was discovered, they had a backup route to keep their foothold.
To evade detection, the attackers employed an undocumented Linux anti-forensics technique using bind mounts (now recognized in MITRE ATT&CK T1564.013) to obscure malicious processes.
The backdoor was disguised as a legitimate system process named lightdm—a known Linux display manager, and executed from non-standard paths like /tmp/lightdm.
Another factor that contributed to the attack’s high degree of stealth was LightBasin mounting alternative filesystems (like tmpfs and ext4) over critical system paths, successfully hiding the backdoor’s process data from standard forensic tools.
The attackers’ objective was to plant a custom rootkit named CAKETAP on the bank’s ATM switching server—a critical system that communicates with the bank’s Hardware Security Module (HSM), a device that authorizes ATM transactions—allowing the hackers to spoof ATM authorization for fraudulent withdrawals and potentially siphon off large sums of cash.
Thankfully, Group-IB detected the operation before this could be achieved.
A Wake-Up Call For The Banking Sector
The incident is a rare but chilling example of how cybercriminals are blending physical access with remote exploitation, making them both difficult to detect and challenging to contain.
Group-IB is urging financial institutions to bolster both their physical and digital security, with recommendations such as:
- Locking down physical access to network switches, especially near ATM infrastructure.
- Monitoring for unusual filesystem activity, especially the mounting of /proc
- Capturing memory images during incident response—not just disk snapshots.
- Blocking or flagging binaries that execute from suspicious paths like /tmp or .snapd.
This incident highlights how a low-cost device like a Raspberry Pi can bypass million-dollar defenses if physical access is overlooked. It’s a stark reminder that digital defense must account for physical vulnerabilities too—because even a small hardware can pose a serious threat if placed in the wrong hands
