Unusual ATM Hack Reveals Risks of Physical Compromise in Cybersecurity
A recent report from Group-IB has shed light on an unusual and sophisticated attempt by a criminal group to hack into a bank's ATM infrastructure using a 4G-enabled Raspberry Pi. The incident highlights the risks associated with physical access tactics and advanced anti-forensic techniques, demonstrating that software-based protection may not always be enough to prevent cyber attacks.
The attackers, known as UNC2891, exploited a physical access point by deploying the Raspberry Pi on a network switch used by the ATM system. This allowed them to circumvent digital perimeter defenses entirely and gain persistent command-and-control access from outside the institution's network without triggering typical firewall or endpoint protection alerts.
The Role of Physical Access in Cybersecurity
"One of the most unusual elements of this case was the attacker's use of physical access to install a Raspberry Pi device," said Nam Le Phuong, Group-IB Senior Digital Forensics and Incident Response Specialist. "This device was connected directly to the same network switch as the ATM, effectively placing it inside the bank's internal network." The use of physical access points is a critical vulnerability in cybersecurity that can be exploited by attackers to gain unauthorized access to a system.
The Raspberry Pi served as a covert entry point with remote connectivity capabilities via its 4G modem. This allowed the attackers to maintain a low-profile presence while deploying custom malware and initiating lateral movements within the bank's infrastructure. The device was used to control network communications, enabling data to pass invisibly across multiple internal systems.
Advanced Anti-Forensic Techniques Used by Attackers
The attackers used a layered approach to obfuscation, employing several advanced techniques to evade detection. One of the tools used was TinyShell, which enabled them to control network communications and maintain persistence in the system. The malware processes were named "lightdm," imitating legitimate Linux system processes, making it difficult for forensic tools to detect.
The attackers also used a technique known as Linux bind mounts to hide process metadata from forensic tools. This method has since been cataloged in the MITRE ATT&CK framework due to its potential to elude conventional detection. The investigators discovered that the bank's monitoring server was silently communicating with the Raspberry Pi every 600 seconds, which was subtle and didn't immediately stand out as malicious.
Continuity of Attackers After Physical Implant Removal
Even after the physical implant was removed, the attackers had maintained access via a secondary vector. The attackers had deployed custom malware that could manipulate hardware security modules to authorize illegitimate transactions. Fortunately, the intrusion was halted before this phase could be executed.
Risks and Lessons Learned
The incident highlights the risks associated with the growing convergence of physical access tactics and advanced anti-forensic techniques. It also reveals that beyond remote hacking, insider threats or physical tampering can facilitate identity theft and financial fraud. The incident serves as a reminder that software-based protection may not always be enough to prevent cyber attacks.
It is essential for organizations to take proactive measures to protect themselves against such attacks, including implementing robust security protocols, conducting regular vulnerability assessments, and providing training to employees on cybersecurity best practices.
About the Author
Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics.