Coordinated Pro-Russian DDoS and Cyberattacks Targeting Denmark
The Danish Defence Intelligence Service (DDIS) publicly attributed two major cyber incidents to Russian-linked actors: a cyberattack on a Danish water utility in 2024 by the group Z-Pentest, and a series of distributed denial-of-service (DDoS) attacks on Danish websites ahead of the municipal and regional council elections, attributed to NoName057(16). These attacks targeted critical infrastructure and government services, raising concerns about the security of essential services and the integrity of democratic processes in Denmark. The DDIS highlighted the connection between these threat actors and the Russian state, underscoring the geopolitical motivations behind the campaigns.
In December 2025, threat intelligence analysis revealed a significant escalation in DDoS activity against Denmark, with NoName057(16) and their DDoSia project orchestrating 4,559 attacks against 148 unique domains and 137 IP addresses, primarily focusing on government, energy, telecommunications, and transportation sectors. The campaign also extended to Ukraine and other countries, but Denmark was a primary target, with municipal and local government websites bearing the brunt of the attacks. The use of port 443 (HTTPS) as the most targeted vector indicates a focus on disrupting secure web services critical to public administration and infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Denmark publicly accuses Russia over two 2024 cyberattacks
The Danish Defence Intelligence Service publicly accused Russia of orchestrating the 2024 water utility intrusion and the pre-election DDoS campaign. The statement marked an official attribution of both incidents to Russian-linked actors.
NoName057(16) launches major DDoS campaign against Denmark
Between December 15 and 21, 2025, Denmark was heavily targeted in a coordinated DDoS campaign attributed to NoName057(16) and its DDoSia project. The activity generated 4,559 attack entries against 148 domains and 137 IPs, focusing on government, municipal, energy, telecommunications, and transportation targets.
DDoS attacks hit Danish websites before local elections
Ahead of Denmark's municipal and regional council elections in November 2024, a series of distributed denial-of-service attacks targeted Danish websites. Danish authorities later linked the activity to NoName057(16), a pro-Russian group with ties to the Russian state.
Z-Pentest attacks a Danish water utility
In 2024, a significant cyberattack targeted a Danish water utility. Denmark later attributed the incident to the pro-Russian group Z-Pentest as part of Russian cyber operations against Danish critical infrastructure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Russian-Attributed Cyberattacks on Danish Water Utility and Election Infrastructure
Danish intelligence services have publicly attributed a series of destructive and disruptive cyberattacks targeting Denmark's critical infrastructure to Russian state-backed groups. The attacks included a significant incident against a Danish water utility, reportedly causing pipes to burst and temporarily leaving homes without water, as well as coordinated denial-of-service (DDoS) attacks that overwhelmed Danish websites ahead of regional and local elections. Authorities identified the groups Z-Pentest, linked to the water utility attack, and NoName057(16), responsible for the DDoS campaigns, as operating on behalf of the Russian state. These operations are described as part of Russia's broader hybrid warfare strategy aimed at destabilizing Western nations and punishing those supporting Ukraine. The Danish Defence Intelligence Service emphasized that these cyber operations are intended to create insecurity and attract public attention, particularly during sensitive periods such as elections. The Danish government has condemned the attacks as unacceptable, with officials highlighting the incidents as clear evidence of ongoing hybrid warfare in Europe. In response, Denmark's foreign office has summoned the Russian ambassador for clarifications, underscoring the seriousness with which these state-attributed cyberattacks are being treated by Danish authorities.
Mar 21, 2026Coordinated DDoS activity targeting government infrastructure in Europe and Russia
A sustained DDoS campaign attributed to **NoName057(16)** used the **DDoSia** tool to generate **6,649** recorded attack entries between Feb. 23 and Mar. 1, targeting **126 domains** and **135 IPs** with a multi-country focus on **Denmark, Greenland, and Ukraine**. Reported targeting emphasized public-sector services (about **44%** of attacks), alongside Ukrainian defense industry, tourism/travel (notably tied to Greenland’s economy), and transportation infrastructure; most traffic was directed at `443/tcp` (HTTPS). The activity aligns with politically motivated disruption tied to Denmark’s support for Ukraine and heightened Arctic sovereignty tensions involving Greenland. Separately, Russia’s internet regulator **Roskomnadzor** and the **Russian Defense Ministry** reported a “complex multi-vector” DDoS that briefly disrupted multiple government websites and related infrastructure, including systems of the **Main Radio Frequency Center (GRFC)**. Russian authorities said the attack was contained, but user reports indicated intermittent access issues persisted for days; the responsible actor was not identified and no public claim of responsibility was noted at the time of reporting. A ransomware “state of the month” roundup covering February incidents is not directly related to these DDoS events and should be treated as separate reporting.
Mar 21, 2026
Hacktivist Cyber Operations Escalate Amid Geopolitical Tensions
A newly formed Russian-aligned hacktivist coalition calling itself **Russian Legion** (reportedly comprising Cardinal, The White Pulse, Russian Partizan, and Inteid) announced “**OpDenmark**,” a campaign of **DDoS attacks** intended to disrupt Danish government services and critical infrastructure and pressure Denmark to reverse military support for Ukraine. Reporting indicates the group issued an ultimatum tied to Denmark’s planned **1.5 billion DKK** aid package, followed by service disruptions across multiple Danish organizations, including repeated targeting of the **energy sector**; analysts characterized the actor as *state-aligned but not state-funded*, using disruption and psychological pressure rather than confirmed destructive intrusions. Separately, a new hacktivist group, **Punishing Owl**, claimed a breach of a Russian government security agency, publishing stolen documents and using DNS manipulation to redirect traffic to attacker-controlled infrastructure hosting the leak and a manifesto. The operation reportedly expanded into **business email compromise** against partners/contractors and included tooling such as the **ZipWhisper PowerShell stealer**, with lures using password-protected ZIPs and disguised LNK files to execute PowerShell downloaders. An additional opinion piece highlighted a broader rise in **energy infrastructure** cyber operations (including referenced events affecting Poland and Venezuela) but did not provide corroboration or direct linkage to the Denmark DDoS campaign or the Punishing Owl intrusion.
Mar 21, 2026