Full Report
News: The Danish Defence Intelligence Service (DDIS) announced on Thursday that Moscow was behind a cyber-attack on a Danish water utility in 2024 and a series of distributed denial-of-service (DDoS) attacks on Danish websites in the lead-up to the municipal and regional council elections in November. The first, it said, was carried out by the pro-Russian group known as Z-Pentest and the second by NoName057(16), which has links to the Russian state. Slashdot thread.
Analysis Summary
# Incident Report: Dual-Vector Russian State-Linked Cyber Operations Against Denmark
## Executive Summary
In 2024, Denmark experienced two separate, state-attributed cyber incidents originating from actors linked to Russia. The first was a destructive cyber-attack against a national water utility attributed to the group Z-Pentest. The second involved a series of Distributed Denial of Service (DDoS) attacks targeting Danish websites leading up to the November municipal and regional council elections, attributed to the NoName057(16) group. The DDIS has publicly attributed both operations to Moscow.
## Incident Details
- **Discovery Date:** Not explicitly stated, but public announcement made on Thursday (date implied to be shortly before December 18, 2025, based on article date context).
- **Incident Date:** Water utility attack occurred in **2024**; DDoS attacks occurred in the lead-up to **November** [Election Year implied 2025 based on article context, but actions occurred prior to the announcement].
- **Affected Organization:** A Danish water utility; various Danish websites.
- **Sector:** Critical Infrastructure (Water); Government/Elections/Public Sector.
- **Geography:** Denmark.
## Timeline of Events
### Incident 1: Water Utility Attack (Exploitation/Destruction)
- **Date/Time:** 2024.
- **Vector:** Unknown (Implied sophisticated attack vector given the attribution to Z-Pentest and the nature of the compromise).
- **Details:** A cyber-attack deemed destructive was carried out against a Danish water utility.
### Incident 2: Election DDoS Campaign
- **Date/Time:** Lead-up to the municipal and regional council elections in November.
- **Vector:** Distributed Denial of Service (DDoS).
- **Details:** A series of DDoS attacks were launched against Danish websites.
### Lateral Movement
- Not specified for either incident, though the water utility attack implies successful compromise beyond initial access to cause "destructive" effects.
### Data Exfiltration/Impact
- **Water Utility:** Described as a "cyber-attack," suggesting potential operational impact or destruction of data/systems, but specific exfiltration details are not provided.
- **DDoS Attacks:** Operational disruption of targeted websites.
### Detection & Response
- Detection was internal to the systems/networks leading to formal attribution announcement by the **Danish Defence Intelligence Service (DDIS)** on Thursday.
- Response actions by the DDIS involved attribution and public disclosure.
## Attack Methodology
Due to the limited information, the methodology must be inferred based on the high-level descriptions:
| Phase | Incident 1 (Water Utility - Z-Pentest) | Incident 2 (Election DDoS - NoName057(16)) |
| :--- | :--- | :--- |
| **Initial Access** | Unknown (Likely exploitation of known vulnerabilities or spear-phishing for system or operational technology access). | Direct volumetric attack targeting network/application availability. |
| **Persistence** | Implied, required for a "destructive" attack. | N/A (DDoS is typically short-lived, focusing solely on impact). |
| **Privilege Escalation** | Implied to achieve destructive goals. | N/A |
| **Defense Evasion** | Implied, necessary for a successful intrusion. | N/A (DDoS traffic is usually voluminous and easily identifiable as malicious). |
| **Credential Access** | Unknown. | N/A |
| **Discovery** | Unknown (Internal network mapping likely occurred). | N/A |
| **Lateral Movement** | Likely occurred to reach critical systems. | N/A |
| **Collection** | Unknown (Potentially reconnaissance or preparation for sabotage). | N/A |
| **Exfiltration** | Not specified. | N/A |
| **Impact** | **Destructive** manipulation or disabling of water utility systems. | **Operational Disruption** of websites via volume overwhelm. |
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Not specified for the water utility; DDoS inherently does not involve data breach unless preceding an intrusion.
- **Operational:** Significant operational disruption feared/actualized at the water utility; temporary service degradation/outages for affected Danish websites during election lead-up.
- **Reputational:** High national security impact due to public attribution to Russian state actors against critical infrastructure (water) and democratic processes (elections).
## Indicators of Compromise
* **Network Indicators:** Insufficient information provided to defang specific IOCs.
* **File Indicators:** None available.
* **Behavioral Indicators:** Use of established threat groups (Z-Pentest, NoName057(16)) to execute specific objective types (sabotage vs. disruption/influence).
## Response Actions
- **Containment:** No details provided regarding immediate steps taken by the utility or website owners.
- **Eradication:** No details provided.
- **Recovery:** No details provided beyond the fact that the DDIS made a public announcement attributing the incidents.
## Lessons Learned
- **Attribution Confidence:** The DDIS has high confidence in attributing sophisticated attacks against critical infrastructure (water utility) and influence operations (elections) to specific, known Russian-aligned groups.
- **Dual Threat Landscape:** Denmark faces ongoing, multifaceted persistent threats leveraging both destructive IT/OT attacks (Z-Pentest) and politically motivated availability attacks (NoName057(16)).
## Recommendations
- **Critical Infrastructure Hardening:** Conduct deep audits and penetration testing focused on IT/OT convergence points within water utilities, specifically looking for Z-Pentest TTPs.
- **Election Security Resilience:** Implement advanced DDoS mitigation services (e.g., always-on scrubbing centers) for all public-facing governmental and electoral consultation websites well in advance of election cycles.
- **Threat Intelligence Integration:** Maintain active monitoring feeds related to NoName057(16) activity to pre-emptively block recognized volumetric attack patterns.