Russia was behind a destructive cyber attack on a water utility in 2024, Denmark says

Denmark has blamed Russia for a destructive cyberattack on a water utility, calling it part of Moscow’s hybrid campaign against Western critical infrastructure.

Denmark has accused Russia of orchestrating destructive cyberattacks against a water utility in 2024, framing them as part of broader hybrid attacks on Western critical infrastructure.

Denmark’s Defence Intelligence Service attributed a destructive attack on a water utility to the pro-Russia group Z-Pentest and DDoS attacks tied to elections to the pro-Russia hacktivist group NoName057(16). Officials said both groups act as tools of Russia’s hybrid war, aiming to create insecurity and punish countries supporting Ukraine.

“FE assesses that the pro-Russian group Z-Pentest, which was behind a destructive cyberattack against a Danish waterworks in 2024, has connections to the Russian state. FE also assesses that the group NoName057(16), which carried out overload attacks against Danish websites in the run-up to the Danish municipal and regional council elections in 2025, has connections to the Russian state.” reads the press release published by FE. “The Russian state uses both groups as part of its hybrid attacks against the West. The aim is to create insecurity in the countries that the groups attack, and to punish the countries for supporting Ukraine.”

Hybrid war is a strategy in which a state combines military and non-military tools to weaken or destabilize an adversary without declaring open war. It typically blends:

• Cyber operations (hacking, sabotage, data leaks)
• Disinformation and propaganda
• Economic pressure (sanctions evasion, energy leverage)
• Political interference (election meddling, influence campaigns)
• Use of proxies (hacktivists, mercenaries, criminal groups)
• Limited or deniable military actions

The goal is to create uncertainty, disrupt society, erode trust in institutions, and impose costs, while maintaining plausible deniability and staying below the threshold of conventional armed conflict.

The Danish intelligence service says elections were exploited to gain public attention, a tactic seen across Europe. Since Russia’s 2022 invasion, Denmark has backed Ukraine with sanctions, military aid, training, and financial support.

Denmark’s defence minister condemned the cyberattacks and labeled them as unacceptable, citing a December 2024 incident in Køge where hackers altered pump pressure at a water utility, bursting pipes.

“This is very clear evidence that we are now where the hybrid war we have been talking about is unfortunately taking place. It once again puts the spotlight on the situation we find ourselves in in Europe,” Lund Poulsen said. “It is completely unacceptable that hybrid attacks are carried out in Denmark by the Russian side,.”

Danish officials said recent cyber and drone incidents caused limited damage but exposed serious gaps in national resilience, warning Denmark is not adequately prepared for hybrid attacks from Russia.

In March, Denmark raised the cyber espionage threat level for its telecom sector from medium to high due to rising threats across Europe.

The Danish Social Security Agency published a new threat assessment for the cyber threat to the telecommunications sector that highlighted the risks for telecom companies in Europe.

Nation-state actors target telecom providers for cyber espionage to access user data, monitor communications, and potentially launch cyber or physical attacks.

The assessment warns that nation-state hackers have an extensive technical understanding of the telecommunications sector’s infrastructure and protocols in cyberattacks against the industry abroad.

Some hackers have demonstrated extensive technical understanding of the telecommunications sector’s infrastructure and protocols in cyberattacks against the industry abroad.

In May 2023, Danish critical infrastructure faced the biggest cyber attack on record that hit the country, reported SektorCERT, Denmark’s Computer Security Incident Response Team (CSIRT) for the critical infrastructure sectors.

A first wave of attacks was launched on May 11, then after a short pause, a second wave of attacks began on May 22. SektorCERT became aware of the attacks on May 22.

SektorCERT reported that threat actors compromised the networks of 22 companies operating in the energy infrastructure. According to the report, 11 companies were immediately compromised. The attackers exploited zero-day vulnerabilities in Zyxel firewalls used by many critical infrastructure operators in Denmark.

Experts believe the attackers were carried out by multiple threat actors, and at least one can be attributed to the Russia-linked Sandworm group.

Recently, CISA and international partners warned that pro-Russia hacktivist groups are actively targeting critical infrastructure worldwide.

Pro-Russia hacktivist groups like CARR, Z-Pentest, and NoName057(16) exploit poorly secured VNC connections to access OT devices in critical infrastructure, causing varying impacts, including physical damage, primarily targeting water, food, agriculture, and energy sectors. Their attacks are less sophisticated and lower-impact compared to APT groups.

“This joint Cybersecurity Advisory is being published as an addition to the Cybersecurity and Infrastructure Security Agency (CISA) May 6, 2025, joint fact sheet Primary Mitigations to Reduce Cyber Threats to Operational Technology and European Cybercrime Centre’s (EC3) Operation Eastwood
, in which CISA, Federal Bureau of Investigation (FBI), Department of Energy (DOE), Environmental Protection Agency (EPA), and EC3 shared information about cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States and globally.” reads a joint advisory from FBI, CISA, National Security Agency (NSA), and partners countries.

CARR attacked U.S. water systems and a Los Angeles meat facility, causing spills, leaks, and damage. GRU guidance financed attacks, targeting critical infrastructure and election sites. A GRU-linked officer, using the handle “Cyber_1ce_Killer,” directed CARR targets, funded DDoS-for-hire services, and is identified as a CARR member.

The U.S. State Department offers up to $2 million for information on CARR members and up to $10 million for details on individuals linked to NoName.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Denmark)