Denmark has publicly accused Russia of orchestrating cyberattacks targeting critical infrastructure and government websites in 2024 and 2025. The attacks, carried out by pro-Russian hacking groups, included disrupting a water utility and attempting to interfere with November elections. This marks the first time Copenhagen has directly attributed such malicious cyber activity to the Russian state, escalating tensions amid ongoing geopolitical conflicts.
The Danish Defence Intelligence Service revealed that the Z-Pentest group compromised the Tureby Alkestrup Waterworks in late 2024, manipulating water pressure and causing several pipes to burst in Køge, south of Copenhagen. Approximately 50 households experienced water outages for seven hours, while 450 homes were affected for one hour. Simultaneously, another group, NoName057(16), launched distributed denial-of-service (DDoS) attacks against Danish websites during the lead-up to regional and local elections.
Russia’s Growing Campaign of Cyberattacks
Danish authorities assert that both Z-Pentest and NoName057(16) are linked to the Russian government, functioning as instruments in Moscow’s hybrid warfare strategy. According to the intelligence agency, the aim is to sow insecurity within targeted countries and retaliate against those supporting Ukraine. Copenhagen has summoned the Russian ambassador to address these findings, with Defence Minister Troels Lund Poulsen condemning the attacks as “completely unacceptable.”
The vulnerability exploited at the Tureby Alkestrup Waterworks stemmed from a decision to reduce costs by implementing less secure cybersecurity measures. Jan Hansen, the facility’s head, advises other companies to prioritize robust cybersecurity and consider cyber insurance. Torsten Schack Pedersen, Denmark’s minister of resilience and preparedness, emphasized that while the damage was limited, the attacks demonstrated the potential to disrupt essential societal functions.
Understanding the Hacking Groups
The US Justice Department alleges that Z-Pentest was founded, financed, and directed by Russia’s military intelligence agency, the GRU. The group emerged in September 2024 following internal disagreements within another pro-Russian hacking collective. Z-Pentest has claimed responsibility for numerous attacks on critical infrastructure globally, including incidents targeting US drinking water systems and a meat processing facility in Los Angeles, causing significant damage and disruption.
NoName057(16) has been active since March 2022, consistently conducting DDoS attacks against government and private sector entities in NATO countries and other European nations. The group utilizes Telegram channels to recruit volunteers and operates proprietary software, DDoSia, incentivizing participation with cryptocurrency rewards and public leaderboards.
These incidents are not isolated events. Western officials are increasingly recognizing a pattern of Russian sabotage and disruption across Europe. An Associated Press database has documented 147 such incidents, indicating a broader, coordinated campaign. The Associated Press has been tracking these events.
Norway recently attributed an attack on the Bremanger dam in April to pro-Russian hackers, resulting in the release of 500 litres of water per second for four hours. While the damage was limited, Norwegian counter-intelligence officials believe the attack aimed to instill fear and demonstrate hacking capabilities. Germany also summoned the Russian ambassador last week following accusations of sabotage and election interference, including a 2024 cyberattack on German air traffic control.
Western intelligence suggests that since the full-scale invasion of Ukraine in February 2022, Russia has employed cyber warfare, sabotage, and influence operations to undermine support for Kyiv and identify vulnerabilities in European infrastructure. This includes attempts at political interference and disruption of essential services.
As investigations continue, European nations are bolstering their cyber defense capabilities and increasing cooperation to counter these threats. The Danish case underscores the importance of proactive cybersecurity measures and international collaboration in safeguarding critical infrastructure against state-sponsored attacks. Organizations should review their security protocols and prepare for potential future incidents as the geopolitical landscape remains volatile.
Additional sources • AP
