A cybercriminal group has used a surprising method to infiltrate a bank’s internal systems, by planting a tiny Raspberry Pi computer inside the bank’s network. The attackers reportedly used the device to gain access to critical parts of the bank’s infrastructure, including systems that control ATM transactions.
The incident was reported by cybersecurity firm Group-IB, which called the approach “unprecedented.” The attackers managed to bypass all external cybersecurity defenses by physically placing the small computer inside the bank’s premises and connecting it to the same switch that handles ATM traffic. This gave them direct access to the bank’s internal communications.
The Raspberry Pi was fitted with a 4G modem, which allowed the hackers to control it remotely over mobile networks, meaning they didn’t need to be anywhere near the bank while carrying out their attack.
The main target was the bank’s ATM switching server — a system responsible for processing ATM transactions, and its hardware security module (HSM), which stores sensitive information like encryption keys and passwords. By gaining access to these systems, the attackers hoped to manipulate transaction flows and extract funds undetected.
The hacking group behind the attack, known in cybersecurity circles as UNC2891, has been active since at least 2017. They are known for targeting financial institutions and using custom-built malware, especially on Linux, Unix, and Solaris systems.
In this latest attack, the group also compromised a mail server within the bank to maintain long-term access. This mail server had continuous internet connectivity and acted as a bridge between the Raspberry Pi and the rest of the bank’s network. A monitoring server, which had access to most internal systems, was used to route communications between the devices.
During their investigation, Group-IB researchers noticed strange behavior from the monitoring server. It was sending signals every 10 minutes to unknown devices. Further analysis revealed two hidden endpoints, the planted Raspberry Pi and the compromised mail server.
The attackers had gone to great lengths to stay hidden. They disguised their malware by giving it the name “lightdm,” which is the name of a legitimate Linux display manager. They even mimicked normal command-line behavior to avoid raising suspicion during forensic reviews.
To make detection harder, the hackers used a lesser-known technique called a Linux bind mount, typically used in system administration, but now added to the MITRE ATT&CK cybersecurity database under “T1564.013.” This allowed the malware to function like a rootkit — a type of software that hides its presence from both users and security tools.
This incident is your call to be hyperaware of how attackers are becoming more creative, blending physical access with advanced software tactics to infiltrate secure environments.
