Threat actor UNC2891 executed "Pi Heist" attacks by gaining physical access to bank ATM internals to deploy Raspberry Pi devices equipped with 4G LTE modems. By establishing a Layer 2 bridge between the internal ATM VLAN and an external Command-and-Control (C2) server, the attackers bypassed perimeter firewalls and Network Access Control (NAC). This persistent hardware backdoor allowed the adversary to pivot through the trusted network segment and issue unauthorized "dispense" commands directly to ATM cash dispensers, resulting in direct financial theft via jackpotting.
-
Incident Overview: Hybrid Physical-Network Breach
- Combines physical social engineering and chassis intrusion with advanced network exploitation.
- Discovered and analyzed by Group-IB, focusing on the TTPs of the adversary group UNC2891.
- Targets financial institutions with insufficient physical security and flat internal network segments.
-
Attack Vector: Hardware-Enabled Tunneling
- Physical Deployment: Installation of a Raspberry Pi single-board computer (SBC) within the ATM chassis or adjacent ports.
- Out-of-Band (OOB) Access: Integration of 4G LTE modules to maintain a stealthy, encrypted tunnel to external C2.
- Network Bypass: Creation of a Physical Layer 2 bridge to circumvent organizational firewalls and NAC.
- Payload Execution: Use of the "shadow bridge" to send direct jackpotting commands to the cash dispenser.
-
Threat Actor Profile: UNC2891
- Specialization: Sophisticated physical network intrusion and ATM-specific hardware manipulation.
- Infrastructure: Utilizes specialized C2 infrastructure tailored for persistent hardware-based backdoors.
- Methodology: Focuses on bypassing logical perimeters by targeting the physical trust boundary.
-
Impact and Systemic Vulnerabilities
- Financial Loss: Immediate and direct currency theft through unauthorized ATM dispensing.
- Network Integrity: Full compromise of the trusted internal ATM VLAN, enabling further lateral movement.
- Physical Security Gap: Highlighting critical failures in ATM chassis integrity and physical site monitoring.
-
Defensive Actions and Mitigation
- Physical Hardening: Implement high-security chassis locks and real-time tamper-detection sensors.
- Zero Trust Networking: Deploy strict MAC-based filtering and dynamic NAC policies to prevent unauthorized device bridging.
- Network Monitoring: Audit internal ports for unknown hardware and monitor for anomalous OOB traffic patterns.
- Protocol Security: Encrypt and authenticate commands between the ATM controller and the cash dispenser.
-
Conclusion: The Erosion of the Physical Perimeter
- Demonstrates that logical security is void if the physical hardware layer is compromised.
- Underscores the risk of "shadow" hardware acting as a persistent, invisible gateway into secure zones.