Full Report
The Danish government has accused Russia of being behind two “destructive and disruptive” cyberattacks in what it describes as “very clear evidence” of a hybrid war. The Danish Defence Intelligence Service (DDIS) announced on Thursday that Moscow was behind a cyberattack on a Danish water utility in 2024 and a series of distributed denial-of-service (DDoS) attacks on…
Analysis Summary
# Incident Report: Russian State-Sponsored Cyberattacks Against Denmark (2024/November 2025)
## Executive Summary
The Danish Defence Intelligence Service (DDIS) has publicly accused Russia of conducting two "destructive and disruptive" cyberattacks, characterizing the events as evidence of a "hybrid war." The incidents included a destructive attack against a critical Danish water utility in 2024 and a series of Distributed Denial of Service (DDoS) attacks targeting Danish websites in the run-up to the November municipal and regional council elections. The intent behind these actions appears to be disruption and sowing chaos, rather than data exfiltration.
## Incident Details
- Discovery Date: Not explicitly stated, but attribution announced on a Thursday (Dec 19, 2025).
- Incident Date: One attack occurred in 2024 (Water Utility); the other occurred in November [2025, context implies] (DDoS attacks).
- Affected Organization: A Danish water utility (Specific name redacted); Various Danish government/institutional websites.
- Sector: Critical Infrastructure (Water Utility), Government/Civilian.
- Geography: Denmark.
## Timeline of Events
### Initial Access
- Date/Time: Attack 1 occurred in 2024. Attack 2 (DDoS campaign) occurred in the lead-up to the November municipal and regional council elections (Context suggests 2025).
- Vector: Unknown for the water utility attack. **DDoS** vectors for the election-related attacks.
- Details: The DDIS linked the water utility attack to the pro-Russian group Z-Pentest and the DDoS attacks to NoName057(16), which is stated to have links to the Russian state.
### Lateral Movement
- Not applicable/Not disclosed for the DDoS attacks. Details for the water utility attack are unavailable, but the term "destructive" suggests deep system access or modification.
### Data Exfiltration/Impact
- **Water Utility Attack (2024):** Described as "destructive and disruptive." Impact likely involved operational disruption or physical process sabotage, though specifics are not provided.
- **Election-Related Attacks (November):** Distributed Denial-of-Service (DDoS). Intended to disrupt public access to Danish websites during the election period.
### Detection & Response
- **Detection:** Not detailed, but the DDIS made a public attribution, implying internal security analysis or intelligence gathering led to the conclusion.
- **Response actions taken:** DDIS announced the attribution, signaling a governmental response documenting the cyber operations as part of a "hybrid war." Specific immediate technical response actions are not detailed in the provided text.
## Attack Methodology
| Phase | Attack 1 (Water Utility) | Attack 2 (Elections) |
| :--- | :--- | :--- |
| **Initial Access** | Unknown (Likely sophisticated intrusion, given "destructive" nature) | Volumetric/Application layer attacks via internet-facing services. |
| **Persistence** | Unknown/Indicated by outcome | N/A (DDoS is typically short-lived high-volume activity) |
| **Privilege Escalation** | Suspected (Given "destructive" nature) | N/A |
| **Defense Evasion** | Unknown | Attack actors (proxied via Botnets) masked origin/intent. |
| **Credential Access** | Unknown | N/A |
| **Discovery** | Unknown | N/A |
| **Lateral Movement** | Unknown | N/A |
| **Collection** | Potential, but focus was destruction | N/A |
| **Exfiltration** | Not the primary goal | N/A |
| **Impact** | **Destructive and Disruptive** actions on operational technology or core systems. | **Denial of Service** against public-facing websites. |
## Impact Assessment
- Financial: Not quantified.
- Data Breach: No specific mention of data exfiltration or theft in the provided context; the focus was disruption.
- Operational: Significant operational impact on the targeted water utility in 2024. Temporary operational disruption to websites during the critical election period in November.
- Reputational: Governmental acknowledgment that these attacks confirm ongoing "hybrid war," which carries national security reputation implications.
## Indicators of Compromise
*Note: No specific technical IoCs (URLs, IPs, file hashes) were provided in the source material.*
- **Network indicators (Defanged):** N/A
- **File indicators:** N/A
- **Behavioral indicators:** Observed pattern of state-linked groups (Z-Pentest, NoName057(16)) conducting politically motivated disruption targeting critical national functions (Water supply, elections).
## Response Actions
- **Containment:** Unknown for the 2024 incident. DDoS attacks were likely mitigated using standard mitigation services (scrubbing centers, WAFs).
- **Eradication:** Unknown/Assumed ongoing for the 2024 persistence mechanism if successful.
- **Recovery:** Websites restored functionality following DDoS mitigation. Operational continuity restored for the utility post-2024 incident.
## Lessons Learned
- **Attribution Confirmation:** Intelligence services have high confidence in attributing disruptive cyber activities to Russian-linked actors, confirming the hybrid threat landscape.
- **Dual Threat Vectors:** Critical national infrastructure (OT/Water) and democratic processes (Elections) are simultaneous, high-value targets for kinetic cyber disruption.
- **Pre-Election Vulnerability:** State-sponsored groups actively target democratic processes immediately preceding elections.
## Recommendations
- **Critical Infrastructure Hardening:** Review and bolster segmentation and operational resilience for all Water/OT environments against known destructive malware targeting industrial control systems (ICS).
- **DDoS Preparedness:** Ensure continuous, scalable DDoS protection contracts are in place and test the activation procedures for all public-facing governmental and election-related websites before future voting cycles.
- **Intelligence Integration:** Enhance intelligence sharing regarding identified threat groups (Z-Pentest, NoName057(16)) to proactively defend against their known TTPs.