What happens when hackers go hands-on with your infrastructure?
Meet UNC2891—a financially motivated threat group that’s redefining ATM attacks by blending physical infiltration with surgical cyber tactics. Their latest weapon? A 4G-enabled Raspberry Pi, physically planted inside a bank’s network. (For those unfamiliar, a Raspberry Pi is a tiny, fully functional computer that you can program and run offline. Think of it as a mini tech “brain” you control—it can run a custom operating system and manage gadgets or even security systems. It’s the kind of device hackers love to exploit, akin to a Flipper Zero hacking tool or something straight out of a spy thriller.)

The goal of UNC2891’s daring ploy? To sidestep firewalls, inject malware, and potentially hijack ATM cash operations with a rootkit known as CAKETAP.

🧠 Anatomy of a Cyber-Physical Breach

This was no ordinary remote hack—it was a hands-on break-in, a “spy gadget meets malware” operation. Here’s how it went down:

Step 1: Physical Infiltration – The attackers gained physical access to a secure ATM area (possibly with insider help). They plugged a 4G-modem-equipped Raspberry Pi into the network switch that the ATM was connected to. Suddenly, this tiny implant was an insider on the bank’s network, effectively bypassing all the bank’s firewalls and security monitoring systems upstream.

Step 2: Covert Control – Once the Pi was in place, it immediately phoned home over its cellular connection. It ran a stealthy backdoor program (TinyShell) and used a dynamic DNS service to set up a hidden command-and-control (C2) link back to the attackers. In plain terms, the hackers now had a remote control inside the ATM network—without tripping any alarms.

Step 3: Hiding in Plain Sight – Here’s where it gets clever. The attackers abused a Linux trick called bind mounts (MITRE ATT&CK technique T1564.013) to mask their presence. They essentially overlaid clean, innocuous files on top of their malicious files—like putting fresh wallpaper over a cracked wall. Security tools scanning the system saw only the clean “wallpaper,” not the dangerous malware lurking underneath.

Step 4: Preparing a Digital Heist – Finally, the attackers attempted to deploy a kernel rootkit dubbed CAKETAP. This malicious module was designed to spoof the bank’s Hardware Security Module (HSM) responses. In simple terms, it could fake the authorization signals that control ATM cash disbursements.

If CAKETAP had been activated, the hackers might have triggered ATMs to spit out cash on command, at scale. Fortunately, investigators discovered the scheme just in time, preventing the rootkit’s deployment and foiling the cash-out plot.

🔍 What This Means for Banks and Enterprises

This breach wasn’t just technical—it was tactical. It shows how the old adage still holds true:

“If an attacker can touch your hardware, they can own your network.”

Key Lessons:

• Physical access = digital compromise. If someone can physically plug a rogue device into your system, assume they can breach it. Every exposed port or unsecured switch is a potential entry point, so security must extend beyond software.
• Memory & network forensics beat file scans. Standard antivirus and disk scans missed the rootkit entirely. Only deep analysis of memory and live network connections revealed the hidden malware. In modern attacks, looking at running processes and RAM can be more important than checking the hard drive.
• Perimeter defenses aren’t enough. Traditional firewalls and monitoring failed here because the Raspberry Pi used its own 4G connection to communicate. The device was inside the network and off the radar, so the usual perimeter security never saw any malicious traffic. Internal threats or implants must be assumed as a possibility.

🛡️ How to Stay Ahead of Hybrid Threats

To defend against these hybrid physical-cyber attacks, organizations should bolster both their physical security and cyber defenses:

• 🔐 Secure every port and device: Lock down physical access to critical hardware. Padlock server rooms, secure network switches, and control who can plug in new devices. If there’s an open port in a public area, it’s a risk waiting to be exploited.
• 🧠 Watch memory, not just disks: Use advanced security tools (EDR/XDR) that monitor real-time system behavior, not only files on disk. Analyze system memory and running processes for anomalies. This helps catch malware that hides in RAM or camouflages itself (as in this case).
• 📡 Monitor internal traffic: Keep an eye on network activity within your perimeter. Set up alerts for unusual beaconing or devices suddenly reaching out over cellular networks. If a box in your network starts talking to an unknown external server at odd hours, investigate immediately.
• 📂 Detect the undetectable: Implement checks for sneaky techniques like bind mounts or hidden file systems. For example, monitor for unexpected mount/unmount operations or strange behavior in system directories. Any sign of tampering with system files or configurations should raise flags.
• 🧰 Drill for blended attacks: Train and drill your incident response team on scenarios that combine physical breaches with cyber attacks. Run realistic simulations where a hacker might have insider access. The faster your team can respond to a device secretly added to your network, the better you can contain and eradicate the threat.

👁️ The Big Picture

Attacks like these prove we’ve entered a new era of cyber-physical warfare. The line between digital and physical security is blurring, and attackers are thinking outside the traditional playbook. A tiny gadget planted in an office can lead to a massive data breach or financial heist. Hackers are thinking beyond code—so must we.

At KromeIT, we help enterprises build smarter, safer, and more human-centric defenses—where every endpoint, cable, and port is accounted for.

Are your systems ready for an attack that walks in the front door?
➡️ Visit KromeIT.com and fortify your future.