Cybersecurity researchers at Group-IB have uncovered a sophisticated hybrid cyberattack orchestrated by the notorious UNC2891 (LightBasin) threat group. The attackers employed an innovative approach using a Raspberry Pi single-board computer equipped with a 4G module to establish a covert access channel into a banking institution’s internal network, successfully bypassing all perimeter security defenses.
Physical Access Leads to Network Compromise
The attack began with threat actors gaining physical access to a bank branch, either through direct infiltration or with assistance from an insider threat. The Raspberry Pi device with 4G connectivity was strategically connected to the same network switch as an ATM, creating a persistent communication channel to the bank’s internal infrastructure while circumventing traditional firewall protections.
Security analysts discovered that the attackers had deployed the TinyShell backdoor on the single-board computer, enabling remote command and control capabilities through the mobile network. This technique allowed the cybercriminals to maintain persistent access and conduct lateral movement across various banking systems without detection.
Advanced Evasion Techniques and Anti-Forensics
The LightBasin group demonstrated exceptional technical sophistication by implementing several advanced stealth methodologies. Their malicious backdoors were cleverly named lightdm to masquerade as legitimate Linux LightDM display manager processes, making detection significantly more challenging.
Particularly noteworthy was the threat actors’ use of alternative filesystem mounting techniques, utilizing tmpfs and ext4 filesystems over /proc/[pid] paths of malicious processes. This anti-forensic method effectively concealed metadata from digital investigation tools, substantially complicating incident response efforts and malware analysis procedures.
LightBasin Group: A Persistent Financial Sector Threat
The UNC2891 group, also known as LightBasin, has maintained active operations since 2016, primarily targeting financial institutions worldwide. In 2022, Mandiant researchers identified the group’s custom-developed Caketap Unix rootkit, specifically engineered to operate on Oracle Solaris systems within banking environments.
Caketap’s primary function involves intercepting sensitive banking card data and PIN codes from compromised ATM servers. The rootkit specifically targets communications destined for Payment Hardware Security Modules (HSMs) – specialized hardware devices responsible for cryptographic key generation and management in financial transactions.
Network Infiltration and Lateral Movement Strategy
Following initial network access through the Raspberry Pi implant, the attackers systematically traversed the bank’s infrastructure using established lateral movement techniques. Their first intermediate target was a network monitoring server that provided enhanced connectivity to the banking data center environment.
Subsequently, the threat actors compromised an email server with direct internet connectivity, establishing an alternative command and control channel. This redundancy ensured continued network presence even after security teams discovered and removed the original Raspberry Pi access point.
Attack Objectives and Security Response
The ultimate goal of this sophisticated campaign was deploying the Caketap rootkit to enable ATM authorization spoofing and facilitate unauthorized cash withdrawal operations. However, the attackers’ plans were thwarted by prompt detection and response from the bank’s cybersecurity team, who identified suspicious network activity before significant financial damage occurred.
This incident represents a rare example of an advanced persistent threat combining physical infiltration with remote access capabilities. The creative use of consumer-grade hardware like Raspberry Pi demonstrates the evolving ingenuity of cybercriminals and highlights critical gaps in traditional security models. Financial institutions must implement comprehensive defense strategies that address both digital and physical security vectors, including strict access controls, network segmentation, and continuous monitoring of all connected devices within their infrastructure.
