Mackay Sugar, Australia’s second-largest sugar producer, disclosed a cyberattack on June 10, potentially affecting key processing operations.Mackay Sugar is one of Australia’s largest sugar producers and the country’s second-largest sugar manufacturer. The company is based in the Mackay region of tropical North Queensland and has more than 140 years of history in sugar cane processing. It operates three major sugar mills, Farleigh, Marian, and Racecourse, and produces around 700,000 tonnes of raw sugar annually for domestic and export markets. The company disclosed a cyberattack on June 10. The timing is brutal: the attack hit during the crushing season, when mills run continuously and any interruption means cane sitting in fields or trucks with nowhere to go. Two of the three mills appear to have been forced offline.“Mackay Sugar is responding to a cyber security incident affecting some of our operations.” reads the report published by the company. “Our immediate focus is the safety of our people, protecting operational systems, and maintaining business continuity.” The company engaged cybersecurity experts to investigate the security breach, contacted relevant authorities, and stood up manual workarounds to keep critical functions running. It didn’t say which systems were hit, whether operational technology was involved, or whether any data was taken.By June 12, Mackay Sugar had managed to restart a limited manual crushing operation at Farleigh Mill, processing cane that had been harvested before the attack. That’s a meaningful distinction: the mill ran on cane already cut, not on fresh supply coming in from the field. The rest of the supply chain, the systems that coordinate cane delivery, harvesting logistics, and mill intake, was still down. No new cane was being accepted. The June 15 update showed progress but not resolution. “Significant progress has been made over the weekend in restoring the systems that support cane supply, harvesting and mill operations.” reads the update published on June 15, 2026. “Steam trials are now underway, and subject to final validation activities, some harvesting is expected to recommence this week in preparation for the staged restart of crushing operations later this week. We have taken the responsible course of action in advising growers and harvesters not to recommence harvesting until we advise them to do so.”Steam trials mean the mill is testing whether its boilers and processing equipment can run safely before committing to a full restart. It’s the last check before cane goes back in.Growers and harvesters were told explicitly to hold. “We have taken the responsible course of action in advising growers and harvesters not to recommence harvesting until we advise them to do so.” continues the report. “We recognise the impact this incident is having on our growers, and we are doing everything we can to support them and to safely resume full operations as soon as possible.” For growers, every day of delay means cane loses sugar content in the field and incurs logistics costs with nowhere to bill.The Gentlemen ransomware group, tracked by Microsoft as Storm-2697, claimed responsibility for the attack and added Mackay Sugar to its Tor-based data leak site on June 15. At this time, no data has been leaked yet, which usually means negotiations are still ongoing. The Gentlemen surfaced as a ransomware operation in September 2025 and by June 13, 2026 had listed 483 victims on their dark-web leak site, 380 of them in 2026 alone. That makes them the second most prolific ransomware brand of the year by published victim count, behind only Qilin. A May 2026 leak of the group’s internal chat logs handed researchers at KELA a rare look inside: nine core members, AI-assisted tooling, and an access model built almost entirely on credentials stolen by commodity infostealer malware.The affiliate model is straightforward and aggressive. A small core team builds and maintains the ransomware and the negotiation panel. External operators carry out the actual intrusions and keep 90% of each ransom, which is a generous split even by current standards. The leaked chats, spanning November 7, 2025 to April 30, 2026, read less like a criminal conspiracy than a small product team arguing about infrastructure choices and which AI model to use for data analysis.Mackay Sugar’s public statements don’t mention data compromise, and it’s still unclear whether the attackers reached industrial control systems directly or whether operational technology was affected as a downstream consequence of IT systems going down. That distinction matters: IT recovery and OT recovery are different problems with different timelines, and a mill that’s restored its business systems but hasn’t verified its control systems is not a mill that’s ready to crush.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, Mackay Sugar)