The Rise of Cybercrime: Innovative Tactics in Bank Heists

In the ever-evolving landscape of cybercrime, criminals are continually adapting their methods to exploit vulnerabilities in financial institutions. A recent incident involving a cybercrime group known as UNC2891 highlights a particularly innovative approach: the use of a Raspberry Pi, a small and inexpensive computer, to gain unauthorized access to a bank’s network. This article delves into the details of this incident, the tactics employed by cybercriminals, and the implications for the finance and banking sector.

The Incident: A New Approach to Bank Heists

In the first quarter of 2025, cybersecurity firm Group-IB reported an attempted bank heist in the Asia-Pacific region, where attackers physically installed a 4G-enabled Raspberry Pi onto a network switch connected to an ATM. This seemingly innocuous device provided the attackers with remote access to the bank’s internal IT environment, allowing them to bypass traditional perimeter defenses entirely.

This unprecedented tactic underscores a significant shift in how cybercriminals approach bank heists. By leveraging small, low-cost hardware, they can execute sophisticated attacks that are difficult to detect and mitigate.

Technical Sophistication and Stealth

The attackers employed a range of advanced techniques to maintain stealth and persistence within the bank’s network. They utilized anti-forensics tactics, such as abusing Linux bind mounts, to conceal their activities and enable lateral movement across critical systems, including ATM switching servers. This level of sophistication indicates a deep technical expertise in Linux and Unix-based systems, as well as a history of successful attacks against financial institutions.

The group has been active since at least November 2017 and has demonstrated a consistent ability to adapt its tactics. In this case, the attackers aimed to facilitate cash-out attacks, allowing money mules to withdraw cash from ATMs without authorization.

The Role of Physical Access

To execute this attack, UNC2891 reportedly hired runners to physically plant the Raspberry Pi device at the bank’s ATM. This highlights a crucial aspect of modern cybercrime: the combination of physical and digital tactics. By gaining physical access to the bank’s infrastructure, attackers can establish footholds that are challenging to detect and remove.

The hardware required for such an attack is surprisingly affordable. A Raspberry Pi 4 costs around $35, while a modem kit can be acquired for approximately $140. This low-cost entry point makes it feasible for cybercriminals to launch sophisticated attacks without significant financial investment.

The Backdoor and Command-and-Control Infrastructure

Once inside the bank’s network, the attackers deployed a custom variant of the Tinyshell backdoor, allowing them to maintain an outbound channel to a command-and-control server. This setup enabled continuous external access to the ATM network, effectively bypassing perimeter firewalls and traditional network defenses.

The use of dynamic DNS for the command-and-control server added another layer of obfuscation. If the IP address associated with the domain was seized, the attackers could quickly reconfigure it to a new address, ensuring persistent access to the compromised network.

Challenges in Containment and Response

Despite thwarting the immediate attack, the incident revealed significant challenges in containing the threat. Even after the Raspberry Pi was removed, the attackers retained remote access through a backdoor installed on the bank’s mail server. This highlights the complexity of modern cybercrime, where attackers can maintain multiple access points within a network.

The multi-pivot access path employed by UNC2891—combining physical, network, and infrastructure control—made containment particularly challenging. This sophistication serves as a stark reminder of the evolving tactics used by cybercriminals and the need for financial institutions to bolster their defenses.

Implications for the Finance and Banking Sector

The incident involving UNC2891 serves as a wake-up call for the finance and banking sector. As cybercriminals continue to innovate and adapt their tactics, financial institutions must remain vigilant and proactive in their cybersecurity efforts. This includes investing in advanced threat detection systems, conducting regular security audits, and fostering a culture of cybersecurity awareness among employees.

Moreover, the blending of physical and digital tactics necessitates a comprehensive approach to security that encompasses both realms. Financial institutions must ensure that their physical infrastructure is secure while also implementing robust cybersecurity measures to protect against digital threats.

Conclusion

The attempted bank heist involving UNC2891 and the use of a Raspberry Pi exemplifies the evolving nature of cybercrime. As attackers become more sophisticated and resourceful, financial institutions must adapt their defenses accordingly. By understanding the tactics employed by cybercriminals and investing in comprehensive security measures, banks can better protect themselves against the growing threat of cybercrime.