When responders opened an innocuous cabinet at a regional branch of an international bank this spring, they found a Raspberry Pi single‑board computer that should never have been there. LightBasin operators had slipped the board into place, paired it with a 4G USB modem, and plugged its USB‑C power lead into the nearest outlet. The improvised kit offered a clean cellular path straight into the bank’s internal network, quietly sidestepping every perimeter firewall and NAC control the institution relied on for years.
How the Breach Unfolded
Unlike many headline breaches, the attackers did not siphon account data through the modem. They used LTE only for command and control. Investigators confirmed that no customer records traversed the air; the immutable audit logs showed beacon traffic but no data sets flowing across the 4G link. How LightBasin managed to install the system is unknown. Investigators found the single‑board computer tucked inside the branch’s communications cabinet. Once powered, the device used a TINYSHELL backdoor to call home through a Dynamic‑DNS domain, creating a covert channel that sidestepped perimeter firewalls via the 4G modem. The attackers directed TINYSHELL to pull tooling, map hosts, and prepare the environment for a cash‑out run.
Every ten minutes, the server reached back to the Raspberry Pi on port 929, using the single-board computer as a relay. From that beachhead, the attackers pivoted to the network‑monitoring and mail servers, laying the groundwork to deploy CAKETAP, a Solaris rootkit designed to tamper with Hardware Security Module (HSM) responses on the bank’s ATM switch. Mandiant first documented the malware in 2022; Group‑IB’s new case suggests the operators still view ATM networks as lucrative terrain. Standard live‑response tools showed no rogue processes even when traffic to the Pi beaconed every ten minutes. The perpetrators exploited an obscure Linux filesystem feature to render their malicious software invisible to standard security tools, so the SOC missed the Raspberry Pi implant’s pings.
Although LightBasin’s plan to spoof authorization messages and trigger fraudulent cash‐outs eventually failed, the incident exposed how attackers can still defeat a multi‑million‑dollar network security infrastructure by bypassing physical security controls and installing a basic wireless implant inside the on-premises network.
Critical Detection Blind Spots and Evasion Techniques
The attackers demonstrated advanced operational security by exploiting obscure Linux filesystem features, specifically bind-mount evasion techniques, rendering their malicious processes invisible to standard endpoint detection and response (EDR) tools. Despite beaconing activity occurring every ten minutes, traditional security monitoring failed to detect the rogue device’s presence.
The attack vector leveraged several critical security gaps:
- Physical Security Bypass: Unrestricted and unmonitored physical access to network infrastructure enabled initial device placement
- Process-Level Invisibility: Advanced filesystem manipulation techniques ensured host-based security agents never logged the malicious socket connections
- Wireless Spectrum Blindness: The complete lack of RF monitoring allowed the 4G-enabled device to continue operating undetected. Short, periodic beacons transmitted over 4G networks blended seamlessly with legitimate telemetry traffic, avoiding detection by data loss prevention (DLP) systems monitoring traditional network egress points.
Most financial institutions diligently inspect Ethernet flows and Wi‑Fi channels, yet leave themselves blind to the vast radio frequency (RF) spectrum, where LTE, 5G, Bluetooth, Zigbee, and other IoT protocols live. A threat actor who controls an inexpensive modem can steer lateral movement, maintain resilience, and stage fraudulent transactions while security teams watch empty dashboards. Without a means of detecting the covert C2 channels, the bank was blind to the attack.
A Disturbing Pattern:
This incident represents the latest evolution in a troubling trend of wireless-enabled physical attacks targeting financial institutions. The Dark Vishnya campaign of 2017-2018 saw at least eight successful breaches across Eastern European banks, where attackers physically infiltrated facilities to deploy 3G-enabled Raspberry Pi devices and other cyber-physical implants. These attacks resulted in millions of dollars in losses, demonstrating the devastating effectiveness of combining physical access with remote wireless communication channels that are invisible to traditional network monitoring tools.
What Could Have Stopped It? Bastille’s Wireless Airspace Defense System
Bastille’s Wireless Intrusion Detection System fills the wireless threat detection void. Its sensors listen passively across the RF spectrum from 100 MHz to 7.125 GHz, spotting and classifying every emitter without transmitting a single packet. The moment that there is an unauthorized cellular transmission inside a vault, Bastille would detect the emitter, tie it to a physical location to within 1 to 3 meters, and stream an alert into the SOC’s SIEM workflow. Analysts can walk straight to the cabinet, pluck out the rogue device, and cut the attackers off before they reach deeper systems. Because the Bastille platform operates entirely through reception rather than interrogation, it satisfies even the strictest branch‑level compliance rules while still delivering granular wireless intelligence in real time.
Bastille’s passive sensor array system provides organizations with:
- Full-spectrum awareness: Continuously monitor the entire RF band from 100 MHz to 7.125 GHz, identifying every wireless device transmission within protected facilities.
- Real-time detection: The system immediately alerts on the presence of an unknown emitter in a sensitive or restricted area.
- RF localization accurate to 1–3 m: The system can pinpoint the exact cabinet holding the rogue implant, enabling a rapid physical response.
- Persistent signal tracking: Ongoing monitoring would follow every transmission from the implant and push real-time alerts on attempted data exfiltration.
Imagine this incident playing out in a branch protected by the Bastille Wireless Airspace Defense platform. Within seconds of the Raspberry Pi’s modem negotiating with the nearest cell tower, Bastille would surface an alert that a cellular transmitter is somewhere it isn’t supposed to be, complete with its location on a floor plan of the monitored space. The SOC would correlate that alert with a simultaneous spike in outbound traffic on port 929. Responders could then arrive on‑site, trace the signal to the rack, and recover the Raspberry Pi before LightBasin can deploy Caketap or modify a single HSM response.
Takeaways from the attack
This attack exploited the critical assumption that network traffic must traverse monitored chokepoints. By introducing a cellular-enabled device with direct physical access to internal networks, attackers created an alternate data path invisible to conventional security tools. No firewall rule was triggered on the attacker’s initial access to the system because they deployed inside the bank’s network, controlling their implant through an unmonitored cellular connection.
Organizations should add wireless airspace defense to their SOC dashboards. For banks, government agencies, and data‑center operators, the lesson is clear: network visibility now begins one layer down, in the airspace. Knowing all of the data channels operating in your facility is now as critical as NetFlow or endpoint telemetry.
