Executive Summary

Danish authorities have publicly attributed a series of cyberattacks targeting critical infrastructure and public services in Denmark to Russian state-linked threat actors. In 2024, the Tureby Alkestrup Waterworks southwest of Copenhagen suffered a destructive cyberattack that manipulated water pressure controls, resulting in burst pipes and temporary water outages for up to seven hours for some households. The attack was attributed to the pro-Russian group Z-Pentest. In November 2025, a separate wave of distributed denial of service (DDoS) attacks disrupted Danish election websites ahead of regional and local elections, undermining public trust and access to democratic processes. These attacks were attributed to the pro-Russian group NoName057(16). Both groups are linked to Russia’s ongoing hybrid warfare campaign against Western countries, particularly those supporting Ukraine. Danish officials, including the Minister of Resilience and Preparedness, have acknowledged that the attacks, while causing limited physical damage, exposed significant vulnerabilities in Denmark’s ability to defend critical infrastructure. The incidents are part of a broader pattern of Russian cyber operations targeting European utilities and public services, with similar attacks reported in Norway and Germany. Attribution is based on technical evidence, operational patterns, and official statements from Danish and German authorities. No evidence of personal data compromise has been reported; the focus was on operational disruption and physical damage. The attacks highlight the urgent need for enhanced cybersecurity measures, particularly for operational technology (OT) in critical infrastructure sectors. Sources: https://www.wtaj.com/tech-news/ap-denmark-blames-russia-for-cyberattacks-ahead-of-elections-and-on-water-utility/, https://www.wjhl.com/technology/ap-technology/ap-denmark-blames-russia-for-cyberattacks-ahead-of-elections-and-on-water-utility/, https://www.wlns.com/news/ap-technology/ap-denmark-blames-russia-for-cyberattacks-ahead-of-elections-and-on-water-utility/

Technical Information

The cyberattacks on Denmark’s water utility and election infrastructure demonstrate a sophisticated and evolving threat landscape targeting operational technology (OT) and public-facing digital services. The 2024 attack on the Tureby Alkestrup Waterworks exploited internet-exposed Human-Machine Interface (HMI) devices within the utility’s OT network. Attackers, identified as the pro-Russian group Z-Pentest, conducted reconnaissance using open-source tools such as Nmap and OpenVAS to scan for Virtual Network Computing (VNC) services on default ports (5900-5910). These services were often protected by weak, default, or no passwords, enabling attackers to gain unauthorized access through brute-force techniques and password spraying.

Once inside the OT environment, the attackers manipulated water pressure controls via the HMI, directly causing physical damage in the form of burst pipes. They further changed device parameters, usernames, and passwords, and disabled alarm systems, resulting in a loss of operator visibility and requiring manual intervention to restore service. The attack led to approximately 50 households being without water for around seven hours and 450 households for one hour. The attackers also attempted to establish persistence by changing credentials and locking out legitimate operators.

The November 2025 attacks on Danish election websites were executed by the pro-Russian group NoName057(16), which specializes in DDoS operations. The group used its proprietary DDoS tool, DDoSia, distributed via Telegram and GitHub, to coordinate and launch large-scale denial of service attacks. These attacks overwhelmed public-facing election websites, disrupting access and undermining confidence in the electoral process. The DDoS attacks did not involve data theft or system compromise but were designed to create public disruption and erode trust in democratic institutions.

Both Z-Pentest and NoName057(16) are part of a broader Russian hybrid warfare strategy, leveraging cyber operations to destabilize Western societies, punish countries supporting Ukraine, and probe for weaknesses in critical infrastructure. The technical tactics, techniques, and procedures (TTPs) observed in these incidents align with the MITRE ATT&CK framework, including reconnaissance (T1591, T1595.002), initial access via internet-exposed devices (T0883), credential access through brute force (T1110.003), lateral movement using default credentials and remote services (T0812, T0886, T1021.005), and impact through manipulation of control (T0831) and denial of service (T1499).

No custom malware was reported in the water utility attack; the compromise relied on poor security practices, such as exposed VNC services and weak credentials. The DDoS attacks were facilitated by the DDoSia tool, which is widely used by NoName057(16) and its affiliates. Both groups have a documented history of targeting water, energy, food/agriculture, and election infrastructure across Europe and North America, often exploiting internet-facing OT systems and public services.

Attribution to Z-Pentest and NoName057(16) is supported by technical evidence, operational patterns, and official statements from Danish and German authorities. The linkage to the Russian state is based on historical context, shared TTPs, and public disclosures, with high confidence in group-level attribution and medium-high confidence in direct state involvement.

Sources: https://www.wtaj.com/tech-news/ap-denmark-blames-russia-for-cyberattacks-ahead-of-elections-and-on-water-utility/, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a, https://www.bleepingcomputer.com/news/security/denmark-blames-russia-for-destructive-cyberattack-on-water-utility/

Affected Versions & Timeline

The primary affected system was the operational technology environment of the Tureby Alkestrup Waterworks, specifically HMI devices accessible via VNC services with weak or default credentials. The attack did not target a specific software version but exploited poor security configurations and exposed remote access services. The election website attacks targeted public-facing web infrastructure supporting regional and local elections in Denmark, with no specific software or platform versions disclosed.

The timeline of events is as follows: In 2024, the destructive cyberattack on the Tureby Alkestrup Waterworks was carried out by Z-Pentest. In November 2025, NoName057(16) launched DDoS attacks against Danish election websites. On December 19, 2025, the Danish Defense Intelligence Service publicly attributed both attacks to Russian state-linked groups. On December 12, 2025, German authorities summoned the Russian ambassador over similar sabotage and cyberattacks, including a 2024 attack on German air traffic control.

Sources: https://www.wtaj.com/tech-news/ap-denmark-blames-russia-for-cyberattacks-ahead-of-elections-and-on-water-utility/, https://www.wjhl.com/technology/ap-technology/ap-denmark-blames-russia-for-cyberattacks-ahead-of-elections-and-on-water-utility/, https://www.wlns.com/news/ap-technology/ap-denmark-blames-russia-for-cyberattacks-ahead-of-elections-and-on-water-utility/

Threat Activity

The threat activity observed in these incidents is consistent with Russian state-linked hybrid warfare operations. Z-Pentest specializes in targeting operational technology in critical infrastructure sectors, focusing on water, energy, and food/agriculture. Their TTPs include scanning for internet-exposed OT devices, exploiting weak or default credentials, and manipulating physical processes to cause operational disruption and physical damage. The group avoids DDoS attacks, instead favoring “hack and leak” and defacement operations for media impact.

NoName057(16) is known for orchestrating DDoS attacks against public sector and election infrastructure, particularly in countries supporting Ukraine. The group operates via Telegram and GitHub, distributing the DDoSia tool to coordinate attacks. Their objective is to disrupt public services, undermine trust in democratic institutions, and create instability.

Both groups are part of a broader Russian campaign to identify and exploit vulnerabilities in European critical infrastructure, as evidenced by similar attacks on water facilities in Norway and air traffic control in Germany. The attacks are opportunistic, often targeting organizations with exposed or poorly secured internet-facing systems.

Attribution is based on technical evidence, operational patterns, and official statements from Danish and German authorities. The linkage to the Russian state is supported by historical context and shared TTPs, with high confidence in group-level attribution and medium-high confidence in direct state involvement.

Sources: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a, https://www.bleepingcomputer.com/news/security/denmark-blames-russia-for-destructive-cyberattack-on-water-utility/, https://www.wtaj.com/tech-news/ap-denmark-blames-russia-for-cyberattacks-ahead-of-elections-and-on-water-utility/

Mitigation & Workarounds

The following mitigation actions are prioritized by severity:

Critical: All organizations operating critical infrastructure, especially in the water, energy, and public sector domains, must immediately audit and secure all internet-exposed operational technology devices. This includes disabling unnecessary remote access services such as VNC, enforcing strong, unique passwords, and implementing multi-factor authentication where possible. Network segmentation should be enforced to separate OT from IT environments, and all remote access should be routed through secure VPNs with strict access controls.

High: Conduct regular vulnerability assessments and penetration testing of both IT and OT environments to identify and remediate exposed services and weak credentials. Implement continuous monitoring and anomaly detection for unauthorized access attempts, brute-force activity, and changes to critical device parameters. Ensure that all critical systems have up-to-date incident response and recovery plans, including manual override procedures for OT environments.

Medium: Provide ongoing cybersecurity awareness training for all staff, with a focus on the risks associated with remote access, credential management, and phishing. Review and update cyber insurance policies to ensure adequate coverage for operational disruption and physical damage resulting from cyberattacks.

Low: Engage with sector-specific information sharing and analysis centers (ISACs) and participate in joint exercises with national cybersecurity authorities to improve preparedness for hybrid threats. Regularly review and update public communications plans to maintain public trust in the event of service disruptions.

These recommendations are based on the technical findings from the Denmark incidents and align with best practices for defending against state-linked hybrid cyber threats.

Sources: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a, https://www.bleepingcomputer.com/news/security/denmark-blames-russia-for-destructive-cyberattack-on-water-utility/

References

https://www.wtaj.com/tech-news/ap-denmark-blames-russia-for-cyberattacks-ahead-of-elections-and-on-water-utility/ https://www.wjhl.com/technology/ap-technology/ap-denmark-blames-russia-for-cyberattacks-ahead-of-elections-and-on-water-utility/ https://www.wlns.com/news/ap-technology/ap-denmark-blames-russia-for-cyberattacks-ahead-of-elections-and-on-water-utility/ https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a https://www.bleepingcomputer.com/news/security/denmark-blames-russia-for-destructive-cyberattack-on-water-utility/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks across their supply chain and critical infrastructure partners. Our platform enables continuous visibility into the security posture of vendors and service providers, supports rapid incident response coordination, and facilitates compliance with sector-specific cybersecurity standards. For questions or further information, please contact us at ops@rescana.com.