Denmark cyberattack allegations have escalated into a diplomatic confrontation with Russia, after Danish authorities accused Moscow of orchestrating two cyber incidents targeting critical infrastructure and democratic processes. On Thursday, Denmark announced it would summon the Russian ambassador following findings by the Danish Defence Intelligence Service (DDIS) linking Russia to a destructive cyberattack on a Danish water utility in 2024 and a series of distributed denial-of-service (DDoS) attacks on Danish websites ahead of elections last month.
Danish officials described the Denmark cyberattack incidents as part of Russia’s broader hybrid warfare campaign against European countries supporting Ukraine, marking a rare public attribution of state-linked cyber operations.
In an official statement, Danish authorities said, “Russia is responsible for destructive and disruptive cyberattacks against Denmark.” The DDIS assessed that the Z-Pentest group, which executed the 2024 water utility attack, has links to the Russian state. Similarly, the agency determined that NoName057(16), the group responsible for the election-related DDoS attacks, also maintains ties to Russian state interests.
Denmark Cyberattack on Water Utility Exposed Infrastructure Weaknesses
The cyberattack on Denmark’s water infrastructure occurred in 2024 and targeted a waterworks facility in Køge. According to Danish officials, a hacker gained control of operational systems and altered pump pressure levels, causing pipes to burst. While the physical damage was limited, the incident raised serious concerns about the security of critical infrastructure.
Denmark’s Defence Minister Troels Lund Poulsen condemned the attack, calling it “completely unacceptable” and warning that hybrid warfare is no longer a theoretical risk. He said the incident demonstrated how cyber operations could translate into real-world consequences. Poulsen confirmed that Denmark would summon the Russian ambassador in response to the findings.
Election-Related DDoS Attacks and Influence Campaigns
In the lead-up to Denmark’s 2025 municipal and regional elections, multiple government and public-sector websites were hit by DDoS attacks designed to overwhelm servers and disrupt access. The DDIS stated that the attacks were intended not only to disrupt digital services but also to attract public attention and amplify insecurity during a politically sensitive period.
“The aim is to create insecurity in the targeted countries and to punish those that support Ukraine,” the intelligence service said, adding that Russia’s cyber operations form part of a broader influence campaign designed to undermine Western backing for Kyiv.
The agency noted that Danish elections were used as a platform for disruption, a tactic that has been observed in several other European countries facing similar cyberattacks and election-related interference.
November 2025 Cyberattacks on Government and Defense Websites
Earlier reporting by The Cyber Express documented additional cyberattack on Denmark that occurred on November 13, when multiple government and defense-related websites experienced outages. Denmark’s Civil Protection Agency confirmed that the disruptions were caused by DDoS attacks affecting several Danish companies and public-sector platforms.
“Several Danish companies and websites were currently experiencing outages and operating disruptions because of DDoS attacks,” the agency said, noting that authorities were closely monitoring the situation alongside military intelligence.
Shortly after the incident, NoName057(16) claimed responsibility on social media, alleging it had targeted systems belonging to the Danish government, including the Ministry of Transport and the public-sector portal Borger.dk. Defense contractor Terma was also named, and later confirmed it had been affected.
Terma spokesperson Tobias Brun-Falkencrone urged caution, stating, “We’re aware that a Russian hacker group has claimed that it would disrupt our website, as well as the ones of several Danish authorities, but it’s too early to say they are responsible.” He added that the company responded effectively and that no data was lost.
Part of a Broader European Pattern
International reporting from outlets including AFP and Ukrinform has linked the cyberattack on Denmark to a wider wave of pro-Russia cyber activity across Europe. Recent incidents include data theft from a Dutch municipality, a payment system breach in Poland affecting a major tour company, and the exposure of sensitive employee data from a British defense contractor by Russia-linked hackers.
While Danish authorities have not reported long-term damage or data loss, officials warned that repeated cyberattacks highlight persistent vulnerabilities in public infrastructure. The Civil Protection Agency and military intelligence services continue to monitor the situation.
The DDIS concluded that Russia’s use of proxy hacker groups reflects an evolving hybrid threat environment in which cyber operations are increasingly used to exert pressure, destabilize societies, and influence political outcomes without crossing traditional military thresholds.
