Russian-Attributed Cyberattacks on Danish Water Utility and Election Infrastructure
Danish intelligence services have publicly attributed a series of destructive and disruptive cyberattacks targeting Denmark's critical infrastructure to Russian state-backed groups. The attacks included a significant incident against a Danish water utility, reportedly causing pipes to burst and temporarily leaving homes without water, as well as coordinated denial-of-service (DDoS) attacks that overwhelmed Danish websites ahead of regional and local elections. Authorities identified the groups Z-Pentest, linked to the water utility attack, and NoName057(16), responsible for the DDoS campaigns, as operating on behalf of the Russian state. These operations are described as part of Russia's broader hybrid warfare strategy aimed at destabilizing Western nations and punishing those supporting Ukraine.
The Danish Defence Intelligence Service emphasized that these cyber operations are intended to create insecurity and attract public attention, particularly during sensitive periods such as elections. The Danish government has condemned the attacks as unacceptable, with officials highlighting the incidents as clear evidence of ongoing hybrid warfare in Europe. In response, Denmark's foreign office has summoned the Russian ambassador for clarifications, underscoring the seriousness with which these state-attributed cyberattacks are being treated by Danish authorities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Denmark summons Russian ambassador over cyberattack allegations
Following the public attribution, Denmark summoned the Russian ambassador to explain the alleged Russian role in the attacks on water infrastructure and political party websites. Russia's ambassador denied the accusations and countered with unsupported claims against Denmark.
Denmark attributes water and election cyberattacks to Russia-linked groups
On December 19, 2025, the Danish Defence Intelligence Service publicly attributed the 2024 water utility attack to Z-Pentest and the 2025 election-related DDoS attacks to NoName057(16). Officials said the incidents were part of Russia's broader hybrid warfare campaign against countries supporting Ukraine.
DDoS attacks target Danish political party websites before elections
Ahead of Denmark's 2025 municipal and regional elections, a series of denial-of-service attacks temporarily knocked political party websites offline. Danish authorities later linked the activity to the pro-Russian group NoName057(16).
Cyberattack damages water utility infrastructure near Køge
In December 2024, attackers altered pump pressure at a Danish water utility near Køge, causing physical damage including burst pipes and temporary water outages. About 50 households were affected by the disruption.
Russia-linked attacks hit 22 Danish energy companies via Zyxel flaws
In May 2023, Denmark experienced its largest recorded cyberattack when 22 energy companies were compromised through zero-day vulnerabilities in Zyxel firewalls. At least one of the attacks was attributed to the Russia-linked Sandworm group.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Russia was behind a destructive cyber attack on a water utility in 2024, Denmark says
securityaffairs.com
Open sourceDenmark blames Russia for destructive cyberattack on water utility
bleepingcomputer.com
Open sourceDenmark says Russia was behind two ‘destructive and disruptive’ cyber-attacks
databreaches.net
Open sourceDenmark summons Russian ambassador over alleged cyberattacks on water utility, elections
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Coordinated Pro-Russian DDoS and Cyberattacks Targeting Denmark
The Danish Defence Intelligence Service (DDIS) publicly attributed two major cyber incidents to Russian-linked actors: a cyberattack on a Danish water utility in 2024 by the group Z-Pentest, and a series of distributed denial-of-service (DDoS) attacks on Danish websites ahead of the municipal and regional council elections, attributed to NoName057(16). These attacks targeted critical infrastructure and government services, raising concerns about the security of essential services and the integrity of democratic processes in Denmark. The DDIS highlighted the connection between these threat actors and the Russian state, underscoring the geopolitical motivations behind the campaigns. In December 2025, threat intelligence analysis revealed a significant escalation in DDoS activity against Denmark, with NoName057(16) and their DDoSia project orchestrating 4,559 attacks against 148 unique domains and 137 IP addresses, primarily focusing on government, energy, telecommunications, and transportation sectors. The campaign also extended to Ukraine and other countries, but Denmark was a primary target, with municipal and local government websites bearing the brunt of the attacks. The use of port 443 (HTTPS) as the most targeted vector indicates a focus on disrupting secure web services critical to public administration and infrastructure.
Mar 21, 2026
Hacktivist Cyber Operations Escalate Amid Geopolitical Tensions
A newly formed Russian-aligned hacktivist coalition calling itself **Russian Legion** (reportedly comprising Cardinal, The White Pulse, Russian Partizan, and Inteid) announced “**OpDenmark**,” a campaign of **DDoS attacks** intended to disrupt Danish government services and critical infrastructure and pressure Denmark to reverse military support for Ukraine. Reporting indicates the group issued an ultimatum tied to Denmark’s planned **1.5 billion DKK** aid package, followed by service disruptions across multiple Danish organizations, including repeated targeting of the **energy sector**; analysts characterized the actor as *state-aligned but not state-funded*, using disruption and psychological pressure rather than confirmed destructive intrusions. Separately, a new hacktivist group, **Punishing Owl**, claimed a breach of a Russian government security agency, publishing stolen documents and using DNS manipulation to redirect traffic to attacker-controlled infrastructure hosting the leak and a manifesto. The operation reportedly expanded into **business email compromise** against partners/contractors and included tooling such as the **ZipWhisper PowerShell stealer**, with lures using password-protected ZIPs and disguised LNK files to execute PowerShell downloaders. An additional opinion piece highlighted a broader rise in **energy infrastructure** cyber operations (including referenced events affecting Poland and Venezuela) but did not provide corroboration or direct linkage to the Denmark DDoS campaign or the Punishing Owl intrusion.
Mar 21, 2026Coordinated DDoS activity targeting government infrastructure in Europe and Russia
A sustained DDoS campaign attributed to **NoName057(16)** used the **DDoSia** tool to generate **6,649** recorded attack entries between Feb. 23 and Mar. 1, targeting **126 domains** and **135 IPs** with a multi-country focus on **Denmark, Greenland, and Ukraine**. Reported targeting emphasized public-sector services (about **44%** of attacks), alongside Ukrainian defense industry, tourism/travel (notably tied to Greenland’s economy), and transportation infrastructure; most traffic was directed at `443/tcp` (HTTPS). The activity aligns with politically motivated disruption tied to Denmark’s support for Ukraine and heightened Arctic sovereignty tensions involving Greenland. Separately, Russia’s internet regulator **Roskomnadzor** and the **Russian Defense Ministry** reported a “complex multi-vector” DDoS that briefly disrupted multiple government websites and related infrastructure, including systems of the **Main Radio Frequency Center (GRFC)**. Russian authorities said the attack was contained, but user reports indicated intermittent access issues persisted for days; the responsible actor was not identified and no public claim of responsibility was noted at the time of reporting. A ransomware “state of the month” roundup covering February incidents is not directly related to these DDoS events and should be treated as separate reporting.
Mar 21, 2026