Mackay Sugar, Australia’s second-largest raw sugar producer, is continuing recovery efforts after a ransomware attack disrupted operations at multiple milling facilities during the peak crushing season, impacting harvesting, logistics, and cane processing activities across Queensland.
The company first disclosed the cyber incident on June 10, stating that it was responding to a cybersecurity event affecting parts of its operations. Mackay Sugar operates three cane-processing mills and plays a significant role in Australia’s sugar production industry.
While the company has not disclosed technical details surrounding the intrusion, operational updates issued over the past week indicate the attack affected systems supporting critical production workflows and forced temporary disruptions to milling activities.
Mills forced into limited operations
Following the incident, Mackay Sugar implemented contingency measures while working to restore affected systems.
On June 12, the company announced it had recommenced limited manual crushing operations at one of its mills to process cane harvested before the attack occurred. However, key cane supply, logistics, and operational systems remained unavailable, preventing the acceptance of additional harvested cane.
The disruption arrived during a critical period for growers and harvesting contractors, with harvesting schedules closely tied to milling capacity throughout the crushing season.
In an update issued on June 15, Mackay Sugar reported significant progress in restoring systems supporting harvesting and mill operations. The company said steam trials were underway and indicated some harvesting activity could resume this week ahead of a staged restart of crushing operations.
Despite the progress, Mackay Sugar advised growers and harvesters not to recommence harvesting until restoration and validation activities are completed.
The Gentlemen claims responsibility
The ransomware group known as The Gentlemen added Mackay Sugar to its leak site on June 15, claiming responsibility for the attack.
At the time of publication, the group had not released any allegedly stolen data and had not disclosed the volume or type of information it claims to have obtained from the company.
Mackay Sugar has not publicly confirmed any data theft and has not disclosed whether employee, customer, supplier, or business information was compromised during the incident.
The company had not issued any public statement at time of publication addressing The Gentlemen’s claims.
Questions remain about operational technology impact
One of the most significant unanswered questions is whether operational technology or industrial control systems were directly affected by the attack.
Mackay Sugar’s public statements indicate that systems supporting harvesting logistics, cane supply management, and mill operations were impacted. However, the company has not disclosed whether attackers gained access to industrial control environments or whether operational disruptions resulted from precautionary shutdowns designed to contain the incident.
Cyberattacks targeting manufacturing and critical infrastructure organizations frequently result in operational downtime even when industrial systems themselves are not directly compromised, as affected companies isolate networks to prevent further spread of malware.
Microsoft tracks group as Storm-2697
The Gentlemen ransomware operation, tracked by Microsoft as Storm-2697, emerged in 2025 and has been linked to attacks involving both data theft and file encryption.
Security researchers have previously highlighted the group’s ransomware tooling due to its worm-like lateral movement capabilities, which can allow malware to spread across compromised environments more rapidly than traditional ransomware strains.
Like many modern ransomware operations, The Gentlemen reportedly combines data exfiltration with encryption-based extortion tactics designed to increase pressure on victims during negotiations.
It remains unclear whether the Mackay Sugar incident involved data theft, file encryption, or both.
Recovery efforts continue
Mackay Sugar says restoration work remains ongoing as teams continue rebuilding affected systems and preparing for the gradual resumption of harvesting and crushing operations.
The company has not provided a timeline for full recovery but indicated that progress over the weekend allowed restoration efforts to advance significantly.
The full scope of the incident, including any potential data compromise and the extent of operational disruption, remains under investigation.
