Denmark Attributes Destructive Water Utility Cyberattack to Russian State Actors

Breached Company

Breached Company

7 min read
Denmark Attributes Destructive Water Utility Cyberattack to Russian State Actors
Photo by Rolands Varsbergs / Unsplash

Copenhagen's First Public Attribution Reveals GRU-Linked Groups Behind Critical Infrastructure Assault

Denmark has publicly blamed Russia for orchestrating two separate cyberattacks against its critical infrastructure in 2024 and 2025, marking the first time Copenhagen has formally attributed such incidents to Moscow. The attacks targeted a water utility that left hundreds without water and government websites ahead of regional elections, according to Denmark's Defence Intelligence Service (DDIS).

Related: Denmark Accuses Russia of Cyber-Attacks Targeting Critical Infrastructure and Elections

The Water Utility Attack: Technical Overview

In late 2024, pro-Russian hacking group Z-Pentest launched a destructive cyberattack against Tureby Alkestrup Waterworks, a facility serving several villages approximately 35 kilometers south of Copenhagen. The attackers gained access to industrial control systems and manipulated water pressure levels, causing at least three pipes to burst.

The impact was immediate and tangible: approximately 50 households lost water access for seven hours, while an additional 450 homes experienced water outages lasting one hour. The attack demonstrates the real-world consequences of successful critical infrastructure compromises.

This incident is part of a disturbing trend. As detailed in our analysis of The Rising Tide of Cyber Threats: How Hackers Are Targeting Global Water Infrastructure, water utilities worldwide have become primary targets for nation-state actors and hacktivist groups.

Root Cause: A Costly Security Decision

Jan Hansen, head of the Tureby Alkestrup Waterworks, revealed a critical lesson in a post-incident statement: the facility had recently switched to a cheaper cybersecurity solution that proved inadequate. The previous security infrastructure had been more robust but was replaced in a cost-cutting measure.

"My advice to other companies is not to cut costs on cybersecurity and to take out cyber insurance," Hansen stated, highlighting the false economy of downgrading security controls for critical infrastructure operations.

This echoes warnings we've issued repeatedly in articles like The Rising Threat of Water System Hacking: A Wake-Up Call for Infrastructure Security, where we documented how budget cuts create vulnerabilities that nation-state actors actively exploit.

Attribution to Russian State Actors

The DDIS assessment identified two distinct threat groups operating on behalf of the Russian state:

Z-Pentest (Water Utility Attack)

According to the U.S. Justice Department, Z-Pentest was founded, financed, and directed by Russia's military intelligence agency, the GRU. The group formed in September 2024 after administrators from another pro-Russian collective, CyberArmyofRussia_Reborn, became dissatisfied with GRU support.

Z-Pentest has claimed responsibility for hundreds of cyberattacks on critical infrastructure worldwide, including:

  • Multiple attacks on U.S. drinking water systems that damaged controls and spilled hundreds of thousands of liters of water
  • An attack on a Los Angeles meat processing facility in November 2024 that spoiled thousands of pounds of meat and triggered an ammonia leak
  • The Danish water utility incident in December 2024

The group exploits poorly secured remote access connections, particularly VNC implementations, to access operational technology (OT) devices in critical infrastructure environments. For more on Russian GRU tactics, see our comprehensive analysis: Russia's Sandworm Pivots: Why Misconfigured Edge Devices Are Now the Primary Target for Critical Infrastructure Attacks.

One particularly alarming case documented in our investigation The Ukrainian Woman Who Sabotaged Children's Water Parks and Critical Infrastructure for Russia reveals how GRU-backed groups like CARR (CyberArmyofRussia_Reborn) orchestrated 99 documented attacks on water systems, demonstrating the systematic nature of this threat.

NoName057(16) (Election DDoS Campaign)

Active since March 2022, NoName057(16) conducted distributed denial-of-service attacks against Danish government websites in November 2024, ahead of regional and local elections. The group operates through Telegram channels and developed proprietary DDoS software called "DDoSia" that recruits volunteers worldwide to participate in attacks.

NoName057(16) has been particularly active across Europe. In December 2024, the group claimed responsibility for crippling France's postal service during the Christmas period, as detailed in our coverage: France Opens Intelligence Investigation After Pro-Russian Hackers Claim Responsibility for Christmas Postal Service Cyberattack.

Attack Methodology and TTPs

While specific technical details remain limited, security researchers have identified several characteristics of the Z-Pentest attack:

  1. Initial Access: The attackers likely exploited weak remote access protocols, a common vulnerability in operational technology environments
  2. Persistence: The breach went undetected for an extended period, suggesting use of living-off-the-land techniques
  3. Impact: Direct manipulation of SCADA systems controlling water pressure and flow
  4. Data Destruction: A wiper variant component destroyed logs and configuration data, complicating incident response and forensic analysis

Part of a Broader Hybrid Warfare Campaign

Danish officials characterized the attacks as part of Russia's systematic "hybrid war" against Western nations supporting Ukraine. "The Russian state uses both groups as instruments of its hybrid war against the West. The aim is to create insecurity in the targeted countries and to punish those that support Ukraine," the DDIS statement read.

The incidents are part of a documented pattern of Russian aggression against European infrastructure. An Associated Press database has tracked 147 similar incidents since Russia's 2022 invasion of Ukraine. Recent examples include:

  • Norway (August 2024): Pro-Russian hackers opened floodgates at the Bremanger dam, releasing 500 liters of water per second for four hours
  • Germany (2024): Cyberattack on air traffic control systems, leading to the summoning of Russia's ambassador. Read our detailed analysis: Germany Accuses Russia of Air Traffic Control Attack as Aviation Cybersecurity Crisis Deepens
  • Denmark (May 2023): The country's largest recorded cyberattack compromised 22 companies in the energy infrastructure sector through zero-day vulnerabilities in Zyxel firewalls

These attacks represent a 34% increase in critical infrastructure targeting throughout 2025, as documented in our Briefing on the 2025 Cybersecurity Landscape: Key Threats, Trends, and Incidents.

Government Response and Diplomatic Actions

Denmark's Defense Minister Troels Lund Poulsen issued a stark warning: "This is very clear evidence that we are now where the hybrid war we have been talking about is unfortunately taking place. It once again puts the spotlight on the situation we find ourselves in in Europe."

Torsten Schack Pedersen, Denmark's Minister for Resilience and Preparedness, acknowledged the country's vulnerabilities: "The cyberattacks show that Denmark is not sufficiently equipped to handle such situations. I think you have to be incredibly naive if you think we are at the top of cybersecurity."

Denmark summoned Russia's ambassador for clarifications on the incidents. The move follows similar diplomatic actions by Germany, which summoned Russia's ambassador on December 12, 2024, after accusing Moscow of multiple cyber operations including election interference.

International Context: CISA Joint Advisory

The timing of Denmark's attribution aligns with heightened international concern about Russian hacktivist operations. On December 10, 2024, CISA issued a joint advisory with the FBI, NSA, European Cybercrime Centre (EC3), and various other agencies, warning that pro-Russia hacktivist groups—including NoName, Z-Pentest, Sector16, and CARR—are actively targeting critical infrastructure worldwide.

The U.S. State Department has offered substantial rewards for information:

  • Up to $2 million for information on CARR members
  • Up to $10 million for details on individuals linked to NoName057(16)

Critical Security Lessons

This incident reinforces several fundamental security principles for critical infrastructure operators:

1. Never Compromise on Cybersecurity Budget

The Danish water utility's experience demonstrates the catastrophic consequences of cost-cutting in security. Critical infrastructure demands enterprise-grade security controls, not budget alternatives.

2. Implement Defense-in-Depth for OT Environments

Water utilities and other critical infrastructure must:

  • Segment OT networks from IT networks
  • Implement strict access controls for SCADA systems
  • Deploy behavioral analytics for anomaly detection
  • Maintain comprehensive logging and monitoring
  • Regularly audit remote access solutions

3. Eliminate Weak Remote Access

The exploitation of poorly secured VNC and other remote access solutions remains a primary attack vector. Organizations must:

  • Replace legacy remote access with zero-trust architecture
  • Implement multi-factor authentication
  • Monitor all remote connections
  • Regularly audit access permissions

4. Maintain Incident Response Capabilities

The wiper variant that destroyed logs highlights the importance of:

  • Immutable backup systems
  • External log aggregation
  • Tested incident response procedures
  • Cyber insurance coverage

5. Recognize the Threat Landscape

Water utilities must acknowledge they are targets in geopolitical conflicts. Nation-state actors view critical infrastructure as legitimate targets in hybrid warfare campaigns.

Recommendations for Water Utility Operators

Based on this incident and broader threat intelligence, water utilities should immediately:

  1. Conduct Security Assessments: Review all remote access solutions, particularly VNC implementations
  2. Validate OT Security Controls: Ensure SCADA systems are properly segmented and monitored
  3. Review Cybersecurity Budgets: Evaluate whether current security investments align with the threat landscape
  4. Implement Behavioral Monitoring: Deploy analytics capable of detecting anomalous pressure changes or system modifications
  5. Establish Incident Response Plans: Test procedures for responding to control system compromises
  6. Consider Cyber Insurance: As recommended by the Danish facility director, obtain appropriate coverage
  7. Participate in Information Sharing: Join sector-specific ISACs and collaborate with government cybersecurity agencies

Strategic Implications

This incident represents a concerning evolution in Russia's cyber operations against the West. Unlike espionage-focused campaigns, these attacks demonstrate willingness to cause physical damage and disrupt essential services to civilian populations.

The targeting of water infrastructure, elections, and other critical systems suggests a strategy designed to:

  • Demonstrate capability and reach
  • Create public fear and uncertainty
  • Identify vulnerabilities in NATO countries
  • Consume law enforcement and cybersecurity resources
  • Signal consequences for supporting Ukraine

Western nations must recognize that critical infrastructure protection is now a national security imperative requiring sustained investment and international cooperation.

Conclusion

Denmark's public attribution of these attacks marks an important step in holding Russian state actors accountable for cyberattacks against critical infrastructure. The incident serves as a wake-up call for utilities worldwide: the threat is real, active, and capable of causing significant disruption.

The Danish water utility's experience—caused by a decision to downgrade security controls—provides a cautionary tale. In the current threat landscape, cutting cybersecurity budgets for critical infrastructure isn't just poor risk management; it's an invitation to nation-state adversaries actively seeking vulnerable targets.

As Denmark's defense minister noted, the hybrid war that security professionals have warned about is no longer theoretical—it's happening now, with real consequences for civilian populations. Water utilities and other critical infrastructure operators must respond accordingly.

Additional Resources

From CISO Marketplace:

For organizations seeking guidance on critical infrastructure protection:

  • CISA's joint advisory on Russian hacktivist threats provides detailed technical indicators and mitigation strategies
  • CISO Marketplace offers vCISO consulting and incident response services
  • Contact QSai LLC for offensive security assessments and compliance guidance

This article is part of our ongoing coverage of critical infrastructure security and nation-state cyber threats. For incident response consulting, water utility security assessments, or vCISO services, visit CISO Marketplace.

Read more

Operation Leak: FBI and Global Partners Dismantle LeakBase, One of the World's Largest Cybercriminal Data Forums

Operation Leak: FBI and Global Partners Dismantle LeakBase, One of the World's Largest Cybercriminal Data Forums

March 4, 2025 — In one of the most sweeping international cybercrime enforcement actions of the year, the Federal Bureau of Investigation, Europol, and law enforcement agencies spanning 14 countries have dismantled LeakBase — a massive open-web forum where cybercriminals bought, sold, and traded stolen data from breaches targeting American corporations, individuals,

By Breached Company