Cyberattack halts Australia sugar producer's operations

A cyberattack on Mackay Sugar, Australia’s second-largest sugar producer, has disrupted operations across its Queensland mills, forcing farmers to delay harvesting and risking crop quality and income. The company disclosed the incident on June 10, limiting operations while addressing the fallout. While some manual crushing resumed at its Farleigh Mill site, most systems remain restricted, delaying the broader restart of harvesting and processing activities.

What happened

Mackay Sugar operates three mills in Queensland, two of which—Racecourse Mill and Farleigh Mill—were affected by the attack. The company’s largest facility, Marian Mill, remained operational. Racecourse Mill, which houses corporate offices and typically produces 213,000 tons of raw sugar annually, was among the hardest hit. The site also generates renewable electricity, 71% of which is fed back into the national grid. Farleigh Mill, the company’s oldest, produces around 196,000 tons of raw sugar per year.

The attack has had a cascading effect on the supply chain. Sugar cane must be processed within 48 hours of harvest to preserve sucrose content and prevent fermentation, which reduces yield and quality. With processing delayed, Mackay Sugar advised farmers to avoid harvesting, as late-harvested cane fetches lower prices. The disruption has also impacted railways used to transport cane from farms to mills.

Cybercrime group The Gentlemen claimed responsibility for the attack, listing Mackay Sugar on its data leak site. However, the company has not confirmed whether ransomware was involved, referring to the incident only as a "cyber security incident." The Gentlemen, classified as a ransomware-as-a-service provider, is known for double extortion tactics, though no evidence of data theft or encryption has been publicly confirmed in this case.

Impact on operations and stakeholders

Mackay Sugar stated that significant progress has been made in restoring systems, with steam trials underway and a staged restart of crushing operations expected later this week. However, the company acknowledged the financial strain on farmers and other partners, committing to regular updates and support. "We recognise the impact this incident is having on our growers, and we are doing everything we can to support them and to safely resume full operations as soon as possible," the company said in a statement.

The attack highlights vulnerabilities in agricultural supply chains, where just-in-time processing is critical. Delays in harvesting and processing can lead to reduced crop quality, lower yields, and financial losses for farmers who rely on timely payments. The incident also underscores the broader risks of cyberattacks on industrial operations, where operational technology (OT) systems are increasingly interconnected with IT infrastructure.

Who is The Gentlemen?

The Gentlemen emerged in mid-2025 as a ransomware-as-a-service group, providing affiliates with a self-propagating file encryptor that increases the potential for widespread damage once initial access is gained. Microsoft’s threat intelligence team recently published a report detailing the group’s tactics, noting its partnership with BreachForums to recruit affiliates with skills in penetration testing and initial access brokering. While The Gentlemen is known for double extortion attacks, Mackay Sugar has not disclosed whether data was exfiltrated or encrypted in this incident.

What to watch

Mackay Sugar’s ability to fully restore systems and resume normal operations will determine the long-term impact on farmers and the broader supply chain. If delays persist, the financial toll on growers could escalate, particularly if crop quality deteriorates further. The incident also serves as a case study for the agricultural sector’s preparedness for cyber threats, particularly in industries reliant on time-sensitive processing. Regulatory scrutiny of critical infrastructure resilience may increase as a result, with potential implications for reporting requirements and incident response protocols.