Skip to main content
CybersecurityInfrastructure

Denmark Accuses Russia: Exclusive on Damaging Cyberattacks

Denmark Accuses Russia: Exclusive on Damaging Cyberattacks

“If not us, who?” might be the question Copenhagen asked as it pointed an accusatory finger at Moscow this week. The Danish Defence Intelligence Service (DDIS) announced Thursday that it had determined Russian actors were responsible for two disruptive cyber operations against Denmark in 2024: an intrusion tied to a pro‑Russian group that targeted a water utility, and a separate campaign of distributed denial‑of‑service attacks against Danish websites timed to the run‑up to municipal and regional council elections in November. The agency said the first intrusion was carried out by a group tracked as Z‑Pentest and the electoral DDoS activity by NoName057(16), a collective that the DDIS links to the Russian state .

The essentials are stark: an essential-service operator faced a penetration that exposed operational‑technology risk, while civic digital infrastructure came under heavy, politically timed traffic disruption. The DDIS framed the actions not as isolated vandalism but as part of a pattern of state‑aligned pressure applied through proxy groups—an assertion that shifts these incidents from criminal nuisance into the realm of national security and international diplomacy .

Background matters here. Since 2022, a constellation of state‑aligned and sympathetic hacktivist actors has proliferated around the geopolitical shockwaves of the Russia‑Ukraine war. Some actors seek spectacle and disinformation; others pursue disruption or intelligence. Utilities—water, power, transport—are especially sensitive because successful intrusions against industrial control systems (ICS) can translate quickly into real‑world harm: altered chemical dosing, pressure changes, or outages that affect millions. Security researchers have repeatedly warned that even reconnaissance and non‑destructive intrusions into OT networks can provide adversaries the playbook they need for future escalation .

What happened in Denmark, and why analysts pay attention:

  • Water utility intrusion — According to intelligence descriptions, the compromise involved tools and probing behavior consistent with actors who map OT environments and test for persistence. Whether the intruders achieved control over process equipment or merely staged reconnaissance, the episode underscores how even exploratory access to water‑system networks can pose public‑health risks and trigger costly emergency responses .
  • Election‑period DDoS attacks — The denial‑of‑service operations targeted municipal and regional websites ahead of November elections, an attack profile designed to sow confusion, limit access to civic information, and erode trust in institutions. The DDIS linked these bursts of traffic to NoName057(16), a group the service says has ties to the Russian state, which raises questions about intent beyond mere mischief .

Different observers read these events through different lenses. Technologists would point first to mitigations: stronger network segmentation between IT and OT, robust monitoring of industrial protocols, threat‑informed detection, and deception tools such as realistic honeypots that can turn attacker curiosity into actionable intelligence. Indeed, recent security research showing pro‑Russian actors engaging with deception environments illustrates how defenders can harvest tradecraft, indicators, and command sequences that become signatures and playbooks for future defense .

Policymakers face a separate calculus. If adversaries routinely exploit proxies and hacktivist collectives, traditional deterrence—threats of sanctions or countermeasures aimed at states—becomes messier. Attribution is harder, response options are politically fraught, and domestic regulators must decide whether to mandate higher resilience standards for municipal and critical‑service operators that often lack cybersecurity budgets. The DDIS public attribution to Moscow is therefore as much a policy signal as it is an intelligence assessment: it invites diplomatic pressure, allied coordination, and possible retaliatory steps, while also pressuring national and local authorities to shore up defenses .

From the user and consumer perspective, the worry is simple and visceral: water and civic services are expected to be reliable. Even precautionary shutdowns or temporary loss of online services can undermine public confidence. Clear, timely communication by operators and authorities—paired with visible remediation and assurance measures—matters as much as the technical fixes because trust is the currency of public systems.

Adversaries, for their part, benefit from ambiguity. Using semi‑autonomous groups or well‑known hacktivist collectives gives a state plausible deniability and operational leverage. It also lowers the bar for escalation: deniable intrusions let actors probe defenses, test reactions, and calibrate influence operations without immediately provoking a kinetic or diplomatic response. That blend of technical probing and political theater is what makes these campaigns dangerous even when they stop short of causing physical harm .

Still, there are constraints. Deception and improved telemetry can blunt many attacks; international cooperation can raise the costs for operators who act as proxies; and transparent public reporting can inoculate citizens against panic. Yet none of these are silver bullets. Defenders adapt, attackers refine—policy, funding, and governance gaps remain the recurring vulnerabilities.

What should be done now? Practical steps that different actors can take include:

  • For utilities: prioritize segmentation of OT and IT networks, implement continuous logging for ICS protocols, and run realistic incident exercises that include deception and threat‑informed detection playbooks .
  • For national governments: coordinate intelligence sharing with allies, support smaller municipalities with funding and technical assistance, and develop clear thresholds for attribution and response that balance deterrence with diplomatic risk .
  • For the public: demand transparent reporting from operators and authorities and support investment in resilient, well‑governed infrastructure that treats cybersecurity as a public good.

Denmark’s public naming of Moscow in these incidents is consequential. It reflects both a growing willingness among Western capitals to call out state actors by name and the uncomfortable reality that vital services are now contested terrain in geopolitical rivalries. Whether that naming produces deterrence, escalation, or a scramble to shore up defenses will depend on how governments, industry, and the public respond.

The question now is not only whether these specific operations succeed in their immediate aims, but what pattern they help establish. Will proxy campaigns become a favored instrument of statecraft because they are cheap, deniable, and politically useful? Or will international coordination and hardened infrastructure make such attempts an unattractive gamble? In a world where code can reach a river’s valves and a civic webpage with equal ease, the stakes are no longer abstract—and neither is the need for a sustained, whole‑of‑society answer .

Source: https://www.schneier.com/blog/archives/2025/12/denmark-accuses-russia-of-conducting-two-cyberattacks.html