Hackers Use Raspberry Pi for Innovative Bank Heist Attempt

In a recent high-profile cyber attack, hackers managed to plant a Raspberry Pi device equipped with a 4G modem within the network of an unnamed bank. This strategy allowed them to exploit the bank’s ATM system in an attempt to siphon funds, according to security researchers.

The team at Group-IB uncovered this tactic as it bypassed traditional perimeter defenses. The attack was uniquely sophisticated, pairing physical intrusion with remote access malware designed to remain undetected by even the most advanced forensic tools. This malware utilized IT administration methods, specifically a technique known as a Linux bind mount, which had never before been observed in a cyber attack context.

The Raspberry Pi was strategically connected to the bank's network switch, the same one used by the ATM system, granting the attackers internal access to the bank's ecosystem. The ultimate target was the ATM switching server, aiming to manipulate the bank’s hardware security module which safeguards sensitive data such as credentials.

Identified as UNC2891, the hackers have a notorious reputation for targeting financial institutions and have been active since 2017. Their proficiency in deploying custom malware against Linux, Unix, and Oracle Solaris systems is well-documented. This latest incident is part of a known pattern of advanced persistent threats from this group.

According to Google's Mandiant, UNC2891 has previously remained undetected within targeted networks for extended periods. The group developed CakeTap, a rootkit for Solaris systems that intercepts messages in ATM networks for potentially fraudulent withdrawals. Other malware created by the group includes SlapStick and TinyShell, notable for their specialized threat capabilities.

Group-IB’s report indicates that UNC2891 continues to refine their stealth tactics. One notable aspect of this breach was the physical deployment of a Raspberry Pi with a 4G modem, positioned to align with the bank’s internal network systems. Additionally, the hackers compromised a mail server to ensure a persistent internet connection, using the bank’s monitoring server as a hub to coordinate unauthorized communications between devices.

During Group-IB's investigation, abnormal behaviors were detected, such as outgoing signals from the monitoring server every 10 minutes. Forensic analysis identified these as communications between a Raspberry Pi and the mail server, although the exact processes responsible remained elusive. By capturing system memory, researchers identified a disguised process masquerading as ‘lightdm,’ a legitimate Linux display manager, revealed to be part of the malware operation.

This discovery led Group-IB to enhance the MITRE ATT&CK framework by including the bind mount technique under “T1564.013 – Hide Artifacts: Bind Mounts.” The attack was foiled before the backdoor could compromise the ATM network, highlighting both the resilience of the bank’s security measures and the ongoing innovation in cyber-attack strategies.

For more insights on cybersecurity, continue to follow the work of Group-IB and other leading tech security firms.