In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network
1 min read
Summary
Threat group UNC2891 has planted a Raspberry Pi device equipped with a 4G modem within the network of an unnamed bank in order to siphon funds via the institution’s ATM system.
The group combined physical intrusion with a previously unseen method of obfuscation, which allowed the malware to hide itself even from sophisticated forensic tools, according to security firm Group-IB.
Known as a “Linux bind mount”, the technique allows the malware to operate in a similar way to a rootkit, which obscures its presence from the operating system it runs on.
The Raspberry Pi was connected to the same network switch as the bank’s ATM system, giving the threat group the ability to compromise the ATM switching server and manipulate the bank’s hardware security module, which stores tamper-resistant secrets such as credentials.
UNC2891, which has been active since 2017, was previously documented by Google’s Mandiant division, which named the group’s custom rootkit CakeTap.
