A ring of cybercriminals managed to physically implant a Raspberry Pi on a bank's network to steal cash from an Indonesian ATM.

Group-IB reported the findings for the first time this week, telling The Register that the attack took place in Q1 2024 and involved the crooks paying "runners" to physically plant the devices on ATMs.

The attack was attributed to what cybersecurity pros refer to as a "threat cluster" tracked as UNC2891, which was first spotted in 2017.

[1]

We're told that participants in UNC2891's activities are neither native to nor located in Indonesia, and Mandiant previously linked them to [2]UNC1945/LightBasin , which in turn is linked to [3]MustangPanda and [4]RedDelta .

[5]

[6]

Group-IB [7]said the team successfully withdrew cash cash from a compromised ATM, and the attack was mitigated a few days after that first withdrawal. The researchers would not say how much money UNC2891 was able to siphon off, however.

What's in a name?

Losing track of all the different names for cybercriminal outfits? Don't know your Pandas from your Blizzards?

We're tired of the myriad names the security industry has for the same groups, too.

The good news is that it seems like [8]the pros have had enough now as well, so provided Microsoft can wrangle all the vendors into shape, we won't have to deal with such messy nomenclature for much longer.

The criminals, or the people they paid to carry out the physical attack, connected a [9]Raspberry Pi to a bank's network switch, the same one hooked up to the ATM that was subsequently raided.

That Raspberry Pi was equipped with a 4G modem, granting attackers remote access to the bank's internal network.

UNC2891 then deployed a backdoor known as Tinyshell to establish persistent access via a command-and-control channel and a dynamic DNS domain. The method allowed the criminals to bypass traditional network defenses such as perimeter firewalls, Group-IB said.

[10]NHS disability equipment provider on brink of collapse a year after cyberattack

[11]Minnesota governor calls in the troops after St Paul cyberattack

[12]Ransomware gang sets deadline to leak 3.5 TB of Ingram Micro data

[13]FBI: Watch out for these signs Scattered Spider is spinning its web around your org

Tinyshell connected to both the Raspberry Pi and the bank's mail server. The mail server had direct internet connectivity, which meant that when the Raspberry Pi was disconnected, the attackers still had access to the network.

After the crooks cashed out, the forensic team brought in to handle the situation struggled to locate the issue thanks to UNC2891's obfuscation techniques.

[14]

The backdoor, for example, appeared to be the LightDM display manager often used by [15]Linux systems , demonstrating the group's skillset, which the researchers said spanned Linux, Unix, and Oracle Solaris environments.

UNC2891 also used Linux bind mounts to hide its backdoor processes, which, at the time, had not been documented in public threat reports, Group-IB said.

The technique is now recognized by MITRE's ATT&CK framework as T1564.013.

[16]

Defenders were able to stop UNC2891 from achieving its ultimate goal, which they believe was to deploy the "Caketap" rootkit to spoof authorization messages that could be used to enable further cash withdrawals.

The researchers noted that the attack serves as a reminder that bad actors using the latest tools and cunning techniques can defeat traditional incident response playbooks, and that memory and network forensics are needed to supplement the usual triage tools. ®

Get our [17]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aIzkl9VLpITvPuNhV1CBvQAAAFg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://www.theregister.com/2021/10/20/linux_solaris_under_attack_at_telcos/

[3] https://www.theregister.com/2025/01/14/fbi_french_cops_boot_chinas/

[4] https://www.theregister.com/2023/07/04/smugx_europe_china_attack_europe/

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIzkl9VLpITvPuNhV1CBvQAAAFg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIzkl9VLpITvPuNhV1CBvQAAAFg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.group-ib.com/blog/unc2891-bank-heist/

[8] https://www.theregister.com/2025/06/03/microsoft_crowdstrike_cybercrew_naming_clarity/

[9] https://www.theregister.com/2025/07/29/raspberry_pi_rp2350_update/

[10] https://www.theregister.com/2025/07/31/nhs_disability_equipment_provider_nears/

[11] https://www.theregister.com/2025/07/30/minnesota_gov_calls_in_national/

[12] https://www.theregister.com/2025/07/30/ingram_micro_ransomware_threat/

[13] https://www.theregister.com/2025/07/29/fbi_scattered_spider_alert/

[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIzkl9VLpITvPuNhV1CBvQAAAFg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[15] https://www.theregister.com/2025/07/29/linux_kernel_616/

[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIzkl9VLpITvPuNhV1CBvQAAAFg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[17] https://whitepapers.theregister.com/