Full Report
Cane farmers in the Mackay region were notified early on Wednesday to stop harvesting, after a cyber incident brought sugar milling at two north Queensland mills to a halt. It said its focus was staff safety and "ensuring business continuity". Canegrowers Mackay chairman Joseph Borg said many growers were issued with "cease harvesting" advice by Mackay Sugar early on Wednesday morning. He said the cyber incident had affected multiple parts of the business. "For trains on the tracks, they have fallback measures to get them back to the factories, and they're doing that," he said. "From my understanding, there'll be more communication when that information comes out." A man in a canegrowers shirt looking at the camera Jospeh Borg says growers were alerted in the early hours of Wednesday morning. (ABC Tropical North: Liam O'Connell) Canegrowers Mackay district manager Michelle Martin said while it was "a bit of a hit" for the growers affected, a shutdown of this scale was better earlier in the season.
Analysis Summary
# Incident Report: Operations Shutdown at Mackay Sugar Mills
## Executive Summary
On June 10, 2026, Mackay Sugar, Australia's second-largest raw sugar producer, suspended operations at two major mills (Farleigh and Racecourse) following a significant cyber security incident. The attack forced a total halt to sugar crushing and automated cane haulage, requiring manual "fallback measures" to recover trains on the tracks. While recovery activities are underway, the incident has disrupted the early harvest season for approximately 1,300 local growers.
## Incident Details
- **Discovery Date:** June 10, 2026 (~04:00 AM)
- **Incident Date:** June 10, 2026
- **Affected Organization:** Mackay Sugar
- **Sector:** Agriculture / Critical Manufacturing
- **Geography:** Mackay region, North Queensland, Australia
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (Prior to 04:00 AM on June 10, 2026)
- **Vector:** Unknown/Not Disclosed
- **Details:** The specific initial entry point was not disclosed in the initial report.
### Lateral Movement
- **Details:** The incident affected "multiple parts of the business," suggesting lateral movement from IT corporate systems into Operational Technology (OT) networks or centralized logistics management systems.
### Data Exfiltration/Impact
- **Impact:** System-wide disruption. Functional loss of milling software and cane rail network coordination. No specific data exfiltration was confirmed in this report.
### Detection & Response
- **How it was discovered:** Detection occurred in the early morning hours, likely via automated monitoring or system failure during the "sugar crush" operations.
- **Response actions taken:**
- Automated milling halted at Farleigh and Racecourse mills.
- Issued "cease harvesting" notifications to growers at 04:00 AM.
- Implemented manual fallback measures to return cane trains to factories safely.
- Initiated "recovery activities" to restore business continuity.
## Attack Methodology
*Note: Due to the early stage of the report, specific technical TTPs (Tactics, Techniques, and Procedures) have not been fully disclosed.*
- **Initial Access:** Unknown (Common vectors in this sector include Phishing or Brute Force on Remote Access).
- **Persistence:** Undisclosed.
- **Privilege Escalation:** Undisclosed.
- **Defense Evasion:** Undisclosed.
- **Credential Access:** Undisclosed.
- **Discovery:** Undisclosed.
- **Lateral Movement:** Inferred movement from IT to OT systems due to the shutdown of industrial milling operations.
- **Collection:** Undisclosed.
- **Exfiltration:** Undisclosed.
- **Impact:** **T1489 (Service Stop)** and **T1491 (Inhibit Response/Recovery)**: Logical shutdown of the milling process and rail logistics.
## Impact Assessment
- **Financial:** High (Disruption to peak harvest season and idling of workforce/equipment for 1,300 farms).
- **Data Breach:** Undetermined.
- **Operational:** Severe (Shutdown of two of three primary production facilities; significant logistical disruption to rail network).
- **Reputational:** Moderate (Public acknowledgment of vulnerability in critical regional infrastructure).
## Indicators of Compromise
- **Network indicators:** None disclosed.
- **File indicators:** None disclosed.
- **Behavioral indicators:** Sudden loss of connectivity to milling control systems and automated rail dispatching.
## Response Actions
- **Containment measures:** Isolation of affected segments of the network to prevent spread to the third mill (Marian).
- **Eradication steps:** Ongoing recovery activities and system sanitization.
- **Recovery actions:** Deployment of manual safety "fallback measures" for rail transport.
## Lessons Learned
- **OT/IT Convergence:** The incident highlights how a cyber event can physically stop heavy machinery and rail transport, emphasizing the need for robust air-gapping or segmented OT environments.
- **Communication Speed:** The organization effectively notified stakeholders (growers) within hours of detection, preventing further upstream waste (harvested cane that cannot be processed).
- **Resilience Planning:** The presence of "fallback measures" for trains suggests Mackay Sugar had contingency plans for technical failures, even if the root cause was a cyberattack.
## Recommendations
- **Network Segmentation:** Ensure strict isolation between Corporate IT and Industrial Control Systems (ICS/SCADA) to prevent cross-contamination.
- **Incident Response Drills:** Conduct tabletop exercises specifically for "Physical-to-Digital" scenarios, such as manual operation of rail and milling equipment during a total IT blackout.
- **Multi-Factor Authentication (MFA):** As noted by experts in the report, ensure MFA is enforced on all remote access points to prevent common initial access vectors.
- **Off-site Backups:** Maintain immutable, offline backups of industrial configurations to ensure rapid restoration of milling software.