Mackay Sugar is Australia’s second-largest manufacturer of sugar, with over 700,000 tonnes produced annually. It’s also one of the largest employers in the region. It operates a cogeneration plant that powers approximately a third of the Mackay region’s annual power requirements, roughly the same as 27,000 households.
On 10 June, Mackay Sugar disclosed the incident, confirming that some of its operations had been impacted, including two sugar mills in the region.
Now, the cyber attack has been claimed by The Gentlemen, which said it would release the stolen data in just under 10 days at the time of writing.
Like its previous cyber attacks, The Gentlemen has shifted to a strategy of silence prior to data publication, not providing any details of the incident or making false claims of being pen-testers.
At this stage, the data the threat actor claims to have stolen is currently unknown, nor is the extent of the damage.
Meanwhile, in an updated statement released on 15 June, Mackay Sugar said it was working with authorities to restore systems. According to an update published yesterday, some systems have been restored while others are in the process of returning to normal.
“We have completed a successful limited manual crushing operation at Farleigh Mill, processing cane harvested prior to the incident. This was a step forward in our recovery efforts, giving us confidence that critical operational functions can continue to be restored safely,” the update said.
“Significant progress has been made over the weekend in restoring the systems that support cane supply, harvesting, and mill operations.
“Steam trials are now underway, and subject to final validation activities, some harvesting is expected to recommence this week in preparation for the staged restart of crushing operations later this week. We have taken the responsible course of action in advising growers and harvesters not to recommence harvesting until we advise them to do so.”
Mackay Sugar reiterated that it was working with authorities and was communicating with key partners, growers, and employers.
“We recognise the impact this incident is having on our growers, and we are doing everything we can to support them and to safely resume full operations as soon as possible,” it said.
Who is The Gentlemen?
The Gentlemen was first observed last September, launching with 32 victims on its dark web leak site.
While not much about the group was originally known, Trend Micro shared early details of the group, having begun to track them in August last year.
“This threat actor quickly established itself within the threat landscape by demonstrating advanced capabilities through their systematic compromise of enterprise environments,” Trend Micro said in a recent blog post.
“By adapting their tools mid-campaign – shifting from generic anti-AV utilities to highly targeted, specific variants – the attackers demonstrate versatility and determination, posing a significant threat to organisations regardless of their security defences.”
While its initial access vector was not made clear, the group was identified as favouring compromised credentials and breaching internet-facing services. It was also observed exploiting legitimate drivers to evade detection, deploying All.exe alongside ThrottleBlood.sys to manipulate a system at a kernel level, in turn giving The Gentlemen the ability to terminate security software processes at will.
“The tool operates by loading the vulnerable driver and using it to kill protected processes that would normally be shielded from termination,” Trend Micro said.
“Recognising the limitations of this initial approach, the threat actors shifted tactics and began conducting detailed reconnaissance of the endpoint protection mechanisms in place. This allowed them to identify specific security controls and tailor their methods accordingly.”
Next in the attack chain comes PowerRun.exe to elevate network privileges, and then an enhanced version of its evasion tool, Allpatch2.exe, to complete the process of detection evasion with tailored precision.
From there, the group utilises living-off-the-land techniques and moves laterally through networks to evade detection, while collecting data and weakening security controls. Finally, on its way out, it terminates any services that may leave traces of its activity and assist in recovery and forensic investigations, while changing firewall rules and neutralising Windows Defender to ensure access remains while ransom negotiations take place.
“Overall, the campaign highlights the threat actors’ understanding of enterprise security architectures, demonstrated through adaptive countermeasures specifically tailored to overcome deployed security solutions, systematic data theft for double extortion, and the eventual successful deployment of ransomware using domain administrator privileges for maximum impact,” Trend Micro said.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
