Hackers have employed a unique tactic to breach the network of an unnamed bank, using a Raspberry Pi equipped with a 4G modem to gain unauthorized access to the financial institution’s ATM system. Researchers at security firm Group-IB reported that the attackers used this method in combination with remote access malware that utilized a novel Linux bind mount technique.
This technique allowed the malware to remain undetected by sophisticated forensic tools, similar to a rootkit. The Raspberry Pi device was connected to the same network switch as the ATM system, giving it direct access to the internal network. The ultimate goal of this attack was to compromise the ATM switching server and manipulate the bank’s hardware security module.
The financially motivated threat group behind the attack, tracked under the name UNC2891, has been active since 2017 in targeting banking infrastructures. They have gained a reputation for their expertise in using custom malware in attacks targeting Linux, Unix, and Oracle Solaris systems. Group-IB’s report highlights that UNC2891 is still actively targeting bank networks, using advanced methods to evade detection.
This attack demonstrates the ongoing threat posed by sophisticated hacking groups seeking to compromise financial institutions’ ATM systems, highlighting the need for robust security measures to prevent such breaches.
Source: https://arstechnica.com/security/2025/07/in-search-of-riches-hackers-plant-4g-enabled-raspberry-pi-in-bank-network