The financially motivated threat actor known as UNC2891 has launched a sophisticated attack on Automatic Teller Machine (ATM) infrastructure by utilizing a 4G-equipped Raspberry Pi. This covert operation highlights significant vulnerabilities in ATM networks, with experts indicating that the attack involved physical access to the bank’s premises.
According to a report by security researcher Nam Le Phuong from Group-IB, the attacker linked the Raspberry Pi directly to the network switch associated with the ATM. This action effectively integrated the device into the bank’s network, though the method of achieving this access remains unclear. The use of a 4G modem allowed the attacker to maintain remote access over mobile data, raising concerns about the security of ATM networks.
Utilizing the TINYSHELL backdoor, the perpetrator established a command-and-control (C2) channel through a Dynamic DNS domain. This technique circumvented existing perimeter firewalls and traditional network defenses, enabling sustained access to the ATM’s network even after the Raspberry Pi was eventually discovered. The incident underscores the evolving tactics used by cybercriminals to obtain financial data.
The hacking group, UNC2891, was first documented by Google-owned Mandiant in March 2022. They have been linked to other fraudulent activities, specifically targeting ATM switching networks to facilitate unauthorized cash withdrawals through the use of cloned cards. Their operations heavily involve a kernel module rootkit known as CAKETAP, which is designed to obscure network connections and intercept verification messages during transactions.
Analysts note the technical sophistication of UNC2891, suggesting possible connections to another threat actor, UNC1945, which previously targeted managed service providers and specific sectors such as financial services. Group-IB’s investigation discovered additional backdoors on the victim’s network, indicating a well-planned approach by the attackers.
The implications of this cyber incident are profound, raising alarms about the security measures currently in place at financial institutions. Group-IB emphasizes the necessity for enhanced monitoring and protective strategies to thwart such incursions in the future. Despite the disruption of the campaign before any significant losses were recorded, the persistence shown by UNC2891 illustrates a troubling trend in financial crime.