Biden-Putin Summit and Why Threat Actors Just Won’t Give it a Rest

On June 11, McDonald’s said in a message to its U.S. employees that it had discovered unauthorized activity on an internal security system. The burger chain responded by bringing on some external consultants to investigate what had happened, reported the Wall Street Journal

The effort of those individuals revealed that malicious actors had compromised data in the U.S., South Korean, and Taiwanese markets. McDonald’s Corporation said that attackers didn’t make off with customers’ information in a recent data breach.

Business at Its Restaurants Unaffected

A closer look revealed some crucial details about the security incident. McDonald’s learned that the breach had affected business contact information for U.S. employees and franchisees, for instance. In response, the fast-food company warned those employees and franchisees to be on the lookout for phishing attacks and other email-based scams.

McDonald’s investigation didn’t uncover any evidence that the incident had affected the data of its U.S. customers or the sensitive information of its U.S. employees. 

It was a different story for its South Korean and Taiwanese markets. Indeed, the burger chain found that the attackers had made off with customer emails, phone numbers, and addresses for delivery customers in those areas. It also determined that the malicious actors had stolen names and contact information for its Taiwanese employees.

The fast-food company clarified that the incident hadn’t affected business at any of its restaurants and hadn’t involved ransomware.

Following its discovery of the data breach, McDonald’s terminated the instance of unauthorized access discovered in its systems and notified Asian regulators about the data breach. A spokesperson for the company said that they’d also invest in blocking these types of attacks from happening in the future.

“McDonald’s will leverage the findings from the investigation as well as input from security resources to identify ways to further enhance our existing security measures,” the company said, as quoted by the Wall Street Journal.

Threat Actors Just Won’t Give it a Rest

The silver lining appears to be that McDonald's has increased its investments in cybersecurity defense and that the data breach was discovered early enough to shut off access to critical corporate data, further customer data, and maybe even the recipe for the secret sauce used in McDonald's iconic Big Mac. Kudos to McDonald's for being transparent. 

We look forward to hearing more from them, as they can be seen as the hero in this situation if they prevent future data breaches and share some of their playbook with the industry to help other companies from being victimized. Having a post-breach mindset is critical in combating cyber risks to businesses. You must assume the threat actors will get in—because they eventually will—so that you can stop them quickly and push them out of your networks.

That being said, the McDonald's data breach is yet another reminder that every minute of everyday threat actors around the world are focused on cybercrime, espionage, and data theft. More and more, this activity is state sponsored and run through Russia, China, Iran, North Korea, and other countries that harbor cyber terrorists. 

Make no mistake that while this newest threat doesn't appear to involve ransomware, data breaches are occurring more frequently but maybe with fewer headlines because of the Colonial Pipeline, JBS, and SolarWinds attacks.

The FBI’s recovery of more than $2 million from the DarkSide threat actors who carried out the Colonial Pipeline breach sends a clear message to criminals that they are not immune to repercussions. Hopefully, the actors behind the McDonald's data breach feel the pressure from law enforcement agencies and we find out where they are located and bring them to justice. 

Ransomware gangs and cybercrime syndicates are startups, in a sense, with their own venture capital, business models, return on investment concerns, etc. But they must continue to be treated like the criminals they are, not glorified for breaking the law and causing disruptions around the world.

You can learn more from the new Cybereason global ransomware study, titled Ransomware: The True Cost to Business, which provides quantitative data and insights on the true cost of ransomware attacks for businesses.

With this week's Biden/Putin summit in Geneva taking place, will a photo op between the two leaders and a joint press conference lead to agreements around reigning in the threat actors that Putin harbors in Russia and that other world leaders hide in their respective countries? 

The answer is unequivocally “no.” Actions speak louder than words. If substantial progress is made on identifying the safe havens where threat actors operate in Russia, Eastern European countries, and other locations over the next 6-12 months, then we will know that the discussions in Geneva worked. 

If it's just more of the same, if the ransomware pandemic worsens and data breaches continue to increase, then we'll know that it's more of the same type of cyber saber rattling that has been going on for more than 20 years.

Hence the need for organizations to take matters into their own hands and gain the visibility necessary for stopping a malicious operation (Malop) in its tracks.

Sam Curry
About the Author

Sam Curry

Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.

All Posts by Sam Curry