Denmark Accuses Russia of Cyberattacks on Water Plant and Elections

Official Attribution by Danish Intelligence

The Danish Defence Intelligence Service (DDIS) publicly announced on Thursday, December 19, 2025, that two pro-Russian hacker groups were responsible for significant cyberattacks targeting critical infrastructure and democratic processes in Denmark. The DDIS assessment attributes these incidents to groups with direct links to the Russian state, characterizing them as part of Russia's 'hybrid war' against Western nations.

Defence Minister Troels Lund Poulsen stated that the attacks were 'completely unacceptable' and confirmed that the government would summon the Russian ambassador over the matter. Minister for Resilience and Preparedness, Torsten Schack Pedersen, highlighted that while the damage was limited, the incidents 'show that there are forces capable of bringing essential services in our society to a halt.'

Water Treatment Plant Targeted in 2024

In early 2024, a cyberattack struck the Tureby Alkestrup Waterworks in Køge, south of Copenhagen. The DDIS attributed this 'destructive attack' to the pro-Russian hacking collective Z-Pentest, which it links directly to Russia's military intelligence, the GRU.

The intruders gained access to the plant's industrial control systems, attempting to manipulate chemical dosing, specifically chlorine levels, and altering water pressure. This resulted in at least three pipes bursting and left approximately 50 to 450 households without water for several hours. Operators successfully detected the breach and averted a wider disaster. Jan Hansen, head of the Tureby Alkestrup Waterworks, advised other companies 'not to cut costs on cybersecurity' following the incident.

Disruption of Local Elections in November 2025

Ahead of Denmark's municipal and regional elections in November 2025, a series of Distributed Denial of Service (DDoS) attacks targeted websites associated with the electoral process. The DDIS identified the pro-Russian group NoName057(16) as responsible for these disruptions.

The attacks rendered the websites of several political parties, municipalities, public institutions, and a defense company inaccessible. The DDIS stated that both NoName057(16) and Z-Pentest are utilized by the Russian state 'as instruments of its hybrid war against the West' with the aim to 'create insecurity in the targeted countries and to punish those that support Ukraine.'

Broader Context of Hybrid Warfare

Danish officials view these cyberattacks as part of a broader campaign of 'hybrid warfare' waged by Russia against Western nations, particularly those supporting Ukraine. Denmark has been a staunch supporter of Ukraine, and the DDIS assesses that the election-related attacks were used 'as a platform to attract public attention' and undermine confidence.

In response to these escalating threats, Denmark plans to establish a new cyber-surveillance network and an online operations center to enhance its defense capabilities against future cyber aggressions.