New ATM Jackpotting Tactic Emerges: 4G Router Exploitation by UNC2891

Mandiant links financially motivated hackers to ATM jackpotting campaign by exploiting 4G LTE router vulnerabilities at banking institutions.

UNC2891 Orchestrates Sophisticated ATM Breach via Mobile Routers

By El Mostafa Ouchen | August 4, 2025

A financially motivated threat group known as UNC2891 has been identified as the orchestrator of a coordinated cyberattack that breached ATM networks across Europe by exploiting 4G LTE routers used by banks and ATM operators, according to a detailed analysis by Google’s Mandiant threat intelligence division.

The attackers hijacked poorly secured mobile broadband routers—commonly deployed at remote ATM locations—and used them as covert entry points into financial institutions’ internal systems. From there, they executed high-impact jackpotting operations, forcing ATMs to dispense large sums of cash while evading detection.

“This is a wake-up call for the financial sector,” said Sandra Ling, senior threat analyst at Mandiant. “The attack didn’t exploit banking apps or endpoints—it exploited the very infrastructure trusted to connect them.”

How the Attack Worked: Technical Breakdown

UNC2891’s tactics were both stealthy and technically advanced. Here’s how the breach unfolded:

1. Reconnaissance – The group scanned the internet for 4G LTE routers with default passwords or exposed management interfaces.
2. Initial Access – Remote access was gained through insecure SSH ports or unpatched web panels, allowing full control of the router.
3. C2 and Persistence – The hackers deployed command-and-control agents, camouflaged as legitimate router services.
4. Lateral Movement – Using the router, they pivoted into the internal ATM management network, exploiting routing misconfigurations and VPN tunnels.
5. Malware Deployment – Custom ATM malware was installed to override cash dispensing logic, often disabling anti-fraud and alarm systems.
6. Jackpotting Execution – ATMs were remotely instructed to eject cash (“jackpotting”) without triggering alerts.
7. Cleanup – Routers were wiped or factory reset, erasing logs and hindering forensic investigation.

Why This Matters: The Infrastructure Blind Spot

Unlike phishing or ransomware, this attack highlights a growing infrastructure-based threat that targets the underbelly of modern financial networks—mobile routers, IoT devices, and VPN gateways.

Mandiant emphasized that many institutions deploy LTE routers in remote locations without proper segmentation or monitoring. These devices often lack multi-factor authentication, firmware patching, and centralized logging—making them ripe for exploitation.

“This incident represents the intersection of cybercrime and critical telecom infrastructure,” said Florent Nizier, cybersecurity advisor at CERT-EU.

Geopolitical Reach and Attribution

The UNC2891 group, active since 2022, is believed to be based in Eastern Europe. Unlike nation-state actors, their primary goal is financial gain. The tools and techniques used in this campaign mirror earlier ATM malware attacks seen in Southeast Asia and Latin America, but this is the first known router-enabled breach at this scale in Europe.

Recommendations for Financial Institutions

In response to the breach, security experts recommend:

• Enforcing strong authentication on all remote access devices
• Performing immediate firmware updates on LTE/5G routers
• Implementing network segmentation between routers and core ATM systems
• Monitoring for abnormal ATM commands or reverse connections
• Disabling unused management interfaces and default ports

Regulators in the EU and UK have issued alerts encouraging banks to conduct urgent audits of their mobile infrastructure.