Mackay Sugar keeps cane in fields after cyberattack

Mackay Sugar told growers to keep sugar cane in the field this week while the Queensland producer restores mill systems after a June 10 cyberattack.

The company, Australia's second-largest sugar producer, processes cane from growers across the Mackay region. Mackay Sugar limited operations after it found the incident, then ran some manual crushing at Farleigh Mill on cane cut before the attack.

Mackay Sugar said June 15 that staff had restored systems that support cane supply, harvesting, and mill operations. The company said steam trials had started and some harvesting could resume this week before a staged restart of crushing.

The grower instruction carries weight because cut cane loses value fast. Mills need to process cane within about 48 hours after harvest to protect sucrose content and yield. Longer delays can trigger fermentation and lower returns for growers.

The attack also disrupts the cane rail network that moves harvested cane from farms to mills. If growers cut cane before a mill can receive it, rail sidings and bins can back up, and the crop can lose quality before crushing.

Mackay Sugar operates three Queensland mills. The attack hit Racecourse Mill, the company's main business site, and Farleigh Mill, its oldest mill. The company said Marian Mill did not suffer disruption.

Racecourse Mill produces 213,000 tons of raw sugar and 58,000 tons of molasses in a standard year. Its cogeneration plant produces 156,000 megawatt-hours of power, and the company sends about 71% of that electricity to the national grid. Farleigh Mill produces 196,000 tons of raw sugar and 49,000 tons of molasses in a standard year.

The cybercrime group The Gentlemen claimed the attack on its leak site, according to the source report. The group gave no details about the intrusion or any stolen data. Mackay Sugar describes the event as a cybersecurity incident, so compliance teams should treat ransomware, encryption, and data theft as unconfirmed unless the company or investigators say more.

Security teams have tracked The Gentlemen since July 2025 as a ransomware-as-a-service operation. The group uses affiliates, which lets different crews handle access, movement inside networks, encryption, and extortion. That model increases risk for industrial operators because attackers can move from business systems into operational workflows that farms, mills, and transport crews use each day.

Australia's critical infrastructure regime gives food and grocery operators a compliance checklist after incidents that affect production. The Security of Critical Infrastructure Act 2018, which commenced July 11, 2018, covers 11 sectors, including food and grocery. Parliament expanded the regime through 2021 and 2022 amendments.

Responsible entities for covered critical infrastructure assets must report a cyber incident within 12 hours if the incident has a relevant impact on the asset. They must report other reportable cyber incidents within 72 hours. The Cyber and Infrastructure Security Centre administers the regime, while the Australian Cyber Security Centre gives incident response guidance and reporting channels.

Food processors should confirm whether the affected asset falls under the Act, record the first time staff detected operational impact, and preserve evidence from technology and operational systems. They should also separate restoration from investigation work, because rushed recovery can destroy logs that investigators need.

Grower communication also needs structure. A mill operator should tell growers which sites can receive cane, which rail lines can move loads, and which harvesting windows the business can support. Vague restart messages create financial risk for growers who make harvest decisions before the mill can crush.

The Mackay Sugar case shows how a cyber incident can reach outside corporate IT within hours. A mill outage affects cane quality, farm income, transport schedules, electricity generation, and customer supply. For operators in agriculture and food processing, incident response plans need named contacts for growers, rail teams, insurers, regulators, and law enforcement.

Mackay Sugar said it would keep employees, growers, and partners informed while it restores operations. The company also said it would continue its investigation. The next compliance test comes with the restart: staff must validate systems, protect evidence, and avoid reconnecting compromised machines to production networks before responders understand the intrusion path.