Bank robbers connected a Raspberry Pi device to a bank's network, resulting in the theft of cash from ATMs.
In the first quarter of 2024, a cybercrime group known as UNC2891 executed a sophisticated attack on an Asia-Pacific bank, marking a modern and covert approach to traditional ATM heists.
The attackers, who had previously been identified as a threat cluster in 2017, employed a Raspberry Pi device equipped with 4G cellular connectivity. This compact, covert computing device was physically planted on or near the bank's ATM, acting as a gateway for the attackers to remotely interact with the ATM network over the cellular network. This bypassed typical network security controls, allowing them to control the ATM and drain cash without the need for direct physical access.
The attack demonstrated several advanced tactics. First, the use of a small, covert computing device with cellular connectivity to maintain stealthy remote access. Second, the exploitation of ATM network vulnerabilities to extract funds. Lastly, the application of anti-forensics methods to evade detection and forensic investigation.
UNC2891's multi-vector attack strategy integrated hardware hacking and remote cyber intrusion. The Raspberry Pi was connected to the bank's network switch, which was also connected to the compromised ATM. The attackers also enlisted "runners" to physically plant the devices on ATMs.
This incident underscores emerging threats where attackers use compact, mobile computing platforms like Raspberry Pi to breach financial systems both physically and digitally. The security industry is now working towards simplifying the nomenclature for cybercriminal outfits due to confusion, with Microsoft leading the charge to align all vendors and reduce complexity.
Despite the efforts of the attackers, the attack was mitigated a few days after the first withdrawal. However, the researchers did not disclose the amount of money UNC2891 was able to siphon off.
UNC2891 is linked to other cybercrime groups such as UNC1945/LightBasin, which in turn is linked to MustangPanda and RedDelta. This incident serves as a reminder of the interconnected nature of cybercrime and the need for continued vigilance in the face of evolving threats.
- The security industry is working towards simplifying the nomenclature for cybercriminal outfits, with Microsoft leading the charge, as confusion arises due to the interconnected nature of cybercrime groups like UNC2891, which is linked to other organizations such as UNC1945/LightBasin, MustangPanda, and RedDelta.
- In the banking-and-insurance sector, advances in technology, like the use of a Raspberry Pi device in the UNC2891's attack, highlight the need for robust cybersecurity measures, especially in safeguarding against hardware hacks and remote cyber intrusion.
- AI-driven solutions could potentially aid in identifying and mitigating such advanced threats, as the finance industry has become increasingly reliant on technology, making it a prime target for cyber attacks.
- Despite the apparent success of UNC2891's attack, which combined traditional ATM heists with modern cyber tactics, the importance of maintaining high cybersecurity standards cannot be overstated in the fast-paced technology-driven industry.
