Denmark Accuses Russia of Cyber-Attacks Targeting Critical Infrastructure and Elections

Danish intelligence reveals coordinated campaign by pro-Russian hacking groups in latest escalation of hybrid warfare tactics

Executive Summary

Denmark's Defence Intelligence Service (DDIS) publicly attributed two significant cyber-attacks to Russian state-connected actors on December 18, 2025, marking another escalation in Russia's hybrid warfare campaign against Western nations supporting Ukraine. The attacks—one targeting critical water infrastructure and another disrupting the democratic process—demonstrate the evolving threat landscape facing European nations and underscore the vulnerability of essential services to state-sponsored cyber operations.

France’s La Poste and La Banque Postale Crippled by Massive Christmas DDoS Attack

Critical postal and banking services knocked offline just 72 hours before Christmas as France faces unprecedented wave of cyberattacks targeting government and critical infrastructure Executive Summary France’s national postal service La Poste and its banking subsidiary La Banque Postale suffered a devastating distributed denial-of-service (DDoS) attack on Monday, December 22,

Breached CompanyBreached Company

The Attacks: Critical Infrastructure and Democratic Processes Under Fire

Water Utility Compromise - December 2024

In what DDIS attributes to the pro-Russian group Z-Pentest, hackers successfully infiltrated a water utility in Køge, Denmark, gaining control of operational technology systems and manipulating pump pressure settings. The attack resulted in three burst pipes, though damage remained contained.

Technical Significance: This incident represents a rare instance where cyber attackers achieved direct physical impact on critical infrastructure through OT manipulation—a scenario long feared by cybersecurity professionals but infrequently realized in practice. The attack demonstrates:

• Successful breach of industrial control systems (ICS)
• Operational technology (OT) manipulation capabilities
• Understanding of physical processes and their cyber-control mechanisms
• Intent to cause tangible damage rather than mere disruption

Election-Targeted DDoS Campaign - November 2025

The second campaign, attributed to NoName057(16)—a group with established links to Russian intelligence services—consisted of distributed denial-of-service attacks targeting Danish websites during the lead-up to municipal and regional council elections in November 2025.

Strategic Implications: DDIS assessment indicates these attacks served multiple objectives:

• Creating public uncertainty during democratic processes
• Demonstrating cyber capabilities as a form of intimidation
• Punishing Denmark for its support of Ukraine
• Testing Western responses and resilience
• Establishing a pattern observed across multiple European elections

The Threat Actor Landscape

Z-Pentest: Critical Infrastructure Specialists

Z-Pentest represents a concerning evolution in Russian state-aligned hacking groups. Unlike traditional cybercriminal organizations focused on financial gain, Z-Pentest demonstrates:

• Advanced understanding of industrial control systems
• Willingness to cause physical damage
• Operational security sufficient to penetrate critical infrastructure
• Coordination with broader Russian strategic objectives

Russia’s Sandworm Pivots: Why Misconfigured Edge Devices Are Now the Primary Target for Critical Infrastructure Attacks

Bottom Line Up Front: Amazon’s threat intelligence team has exposed a critical evolution in Russian state-sponsored cyber operations: APT44 (Sandworm) has shifted from expensive zero-day exploitation to targeting misconfigured network edge devices as their primary attack vector against Western energy and critical infrastructure. This tactical pivot—tracked across a four-year

Breached CompanyBreached Company

NoName057(16): The DDoS Specialists

NoName057(16) has emerged as Russia's primary distributed denial-of-service weapon, conducting coordinated campaigns across multiple European nations. The group's activities consistently align with Russian foreign policy objectives, particularly targeting nations providing military or humanitarian support to Ukraine.

Related Coverage: For more on Russia's DDoS capabilities and campaigns, see our analysis of Three Major DDoS Attacks in July 2025 which details similar operations targeting Ukrainian media and Russian-occupied territories.

Established Patterns:

• Targeting during politically sensitive periods (elections, policy announcements)
• Cross-border coordination suggesting state-level resources
• Public claims of responsibility for propaganda value
• Escalating sophistication in attack methodologies

Denmark's Response: Acknowledgment of Inadequacy

In a remarkably candid assessment, Danish officials acknowledged significant gaps in national cybersecurity capabilities. Minister for Resilience and Preparedness Torsten Schack Pedersen stated bluntly: "I think you have to be incredibly naive if you think we are at the top of cybersecurity."

This admission is significant because:

1. It breaks from typical government messaging that tends to project confidence in defensive capabilities
2. It signals urgency for increased cybersecurity investment and international cooperation
3. It acknowledges the reality that even advanced European nations struggle against state-sponsored threats
4. It creates political space for necessary but expensive security infrastructure improvements

Diplomatic and Defense Responses

Denmark's response includes:

• Summoning Russian ambassador for formal diplomatic protest
• Public attribution with specific group identification
• Integration with broader European security coordination
• Acknowledgment that current defenses are insufficient

Defense Minister Troels Lund Poulsen characterized the incidents as "very clear evidence that we are now where the hybrid war we have been talking about is unfortunately taking place."

The Hybrid Warfare Context

These cyber-attacks exist within a broader pattern of Russian hybrid warfare operations targeting European nations:

September 2025: Drone Incursions

Copenhagen classified a series of drone incursions on Danish airports and military sites as "hybrid attacks," exposing vulnerabilities that contributed to plans for a European "drone wall."

Pattern Recognition Across Europe

DDIS identified similar attack patterns targeting elections across multiple European nations, suggesting coordinated campaigns rather than isolated incidents.

Related Coverage: Germany has also faced Russian hybrid warfare, as detailed in our report on Germany's Accusation of Russia for Air Traffic Control Attack, which attributed attacks to APT28 (Fancy Bear).

Strategic Objectives

Russia's hybrid warfare campaign pursues multiple interconnected goals:

• Undermining confidence in critical infrastructure security
• Creating political pressure to reduce support for Ukraine
• Testing defensive capabilities and response protocols
• Demonstrating reach into Western nations' most sensitive systems
• Normalizing low-intensity conflict below traditional warfare thresholds

Russia's APT28 and State-Sponsored Cyber Operations

The Denmark attacks fit into a broader pattern of Russian state-sponsored operations, particularly those conducted by APT28 (Fancy Bear), a GRU military intelligence unit operating since at least 2004.

Key APT28 Operations:

• 2016 DNC Breach: High-profile attack aimed at influencing U.S. presidential election
• 2017 Macron Campaign: Targeted Emmanuel Macron's campaign with email leaks and disinformation
• 2021-2025 France Campaign: Systematic targeting of French ministries, defense contractors, and think tanks (detailed analysis here)
• August 2024 Germany: Attack on Deutsche Flugsicherung air traffic control systems
• November 2025: First-ever arrest of APT28 member Alexey Lukashev in Thailand (full story here)

Technical and Strategic Implications for Organizations

For Critical Infrastructure Operators

The Køge water utility attack provides several critical lessons:

1. OT Security Cannot Be Delayed: Organizations can no longer justify postponing operational technology security improvements. The attack demonstrates that theoretical risks are now operational realities.
2. Network Segmentation Is Essential: Proper segmentation between IT and OT environments remains the primary defense against cascading compromise.
3. Physical Impact Scenarios Must Be Tested: Incident response plans must account for cyber-attacks causing physical damage, requiring coordination between cyber teams, operational staff, and emergency services.
4. Supply Chain Visibility Is Critical: Understanding every component in critical systems—and their security posture—is no longer optional.

For All Organizations

1. DDoS Resilience Must Scale: As state actors increasingly employ DDoS as a preferred weapon, organizations must ensure adequate capacity and mitigation strategies.
2. Geopolitical Risk Assessment: Organizations must incorporate geopolitical analysis into their risk assessment frameworks, understanding how national foreign policy positions might make them targets.
3. Public-Private Intelligence Sharing: The speed and specificity of Denmark's attribution demonstrates the value of intelligence-sharing partnerships between government and private sector.
4. Incident Response Must Include Attribution Considerations: Organizations should preserve forensic evidence with the understanding that incidents may become matters of international significance.

Russia's Evolving Cyber Warfare Tactics

From Espionage to Physical Impact

Russia's cyber operations have evolved significantly over the past decade:

Early Phase (2004-2015): Focus on espionage and information gathering

• APT28 operations targeting government and military networks
• Intelligence collection from political organizations
• Development of sophisticated malware capabilities

APT28 Deploys First AI-Powered Malware: LameHug Uses LLM to Autonomously Guide Cyber Operations

Executive Summary In a groundbreaking development that signals a new era in cyber warfare, Ukraine’s Computer Emergency Response Team (CERT-UA) has identified the first publicly documented malware that leverages artificial intelligence to autonomously guide cyberattacks. The malware, dubbed “LameHug,” has been attributed to Russia’s APT28 group and represents a significant

Breached CompanyBreached Company

Influence Phase (2016-2019): Information warfare and election interference

• DNC breach and WikiLeaks collaboration
• Macron campaign targeting
• NotPetya global disruption (2017) - $10 billion in damage

Hybrid Warfare Phase (2020-Present): Multi-vector attacks combining cyber and physical operations

• PathWiper malware against Ukrainian critical infrastructure
• Coordinated DDoS campaigns against multiple European targets
• Physical infrastructure attacks (Denmark water utility)
• Sustained campaigns against aviation systems

The Ukraine Conflict Catalyst

Russia's invasion of Ukraine in 2022 dramatically accelerated hybrid warfare operations:

Direct Attacks on Ukraine:

• PathWiper wiper malware targeting critical infrastructure
• Over 5,000 cyberattacks by FSB-backed Armageddon group
• Systematic targeting of energy, water, and telecommunications

Counter-Operations:

• Ukrainian cyber operations against Russian-occupied territories
• 250,000 people left without communications in Crimea
• Targeted attacks on Russian food service and retail infrastructure

Western Target Expansion:

• Attacks on nations supporting Ukraine (Denmark, Germany, France)
• Election interference campaigns across Europe
• Critical infrastructure reconnaissance and attack preparation

The Attribution Question: Why Public Disclosure Matters

Denmark's decision to publicly attribute these attacks with specific group identification represents a significant diplomatic and cybersecurity decision. This approach:

Creates Accountability

Public attribution imposes reputational and diplomatic costs on Russia, even when direct consequences remain limited.

Strengthens Allied Coordination

Detailed attribution enables other nations to improve their defensive postures based on specific threat actor TTPs (tactics, techniques, and procedures).

Deters Future Operations

While unlikely to stop state-sponsored operations entirely, public attribution raises the cost-benefit calculation for attackers.

Educates the Public

Transparency about hybrid warfare helps populations understand the threats facing their nations, building political support for necessary security investments.

Related Coverage: For comprehensive analysis of the 2025 threat landscape including state-sponsored attribution statistics, see our Briefing on the 2025 Cybersecurity Landscape, which documents that 39% of all major cyber-attacks were attributed to state-sponsored actors.

The "Space Between Peace and War"

As the new head of MI6 recently characterized the current environment, Western nations find themselves in a "space between peace and war"—a gray zone where traditional deterrence models struggle to apply.

This ambiguity creates several challenges:

1. Response Calibration: How should democratic nations respond to attacks that cause limited damage but demonstrate significant capability?
2. Alliance Coordination: NATO and EU frameworks were designed for conventional warfare, not persistent low-intensity cyber operations.
3. Private Sector Role: Critical infrastructure is predominantly privately owned, creating complex questions about responsibility and capability.
4. Legal Frameworks: International law governing cyber operations remains underdeveloped, with limited consensus on what constitutes an armed attack in cyberspace.

The Broader Context: Russia's Cyber Warfare Ecosystem

State-Sponsored Groups

Russia's cyber capabilities are distributed across multiple intelligence agencies:

GRU (Military Intelligence):

• APT28 (Fancy Bear, Forest Blizzard, BlueDelta)
• APT29 targeting documented in multiple campaigns
• Sandworm Team (NotPetya, Ukrainian power grid attacks)

Russian GRU Officer Alexey Lukashev Arrested in Thailand: FBI’s Most Wanted Hacker Behind 2016 DNC Breach Faces US Extradition

BREAKING: Thai authorities have arrested Alexey Viktorovich Lukashev, a senior lieutenant in Russia’s Main Intelligence Directorate (GRU) and one of the FBI’s most wanted cyber criminals, in a dramatic takedown operation in Phuket that could mark a turning point in prosecuting state-sponsored hackers. The 35-year-old GRU Unit 26165 officer, described

Breached CompanyBreached Company

FSB (Federal Security Service):

• Armageddon group - 5,000+ attacks on Ukrainian infrastructure
• Domestic surveillance and control operations
• Counter-intelligence operations

SVR (Foreign Intelligence Service):

• SolarWinds supply chain compromise (2020)
• Long-term espionage campaigns
• Strategic intelligence collection

Pro-Russian Proxy Groups

Beyond formal intelligence agencies, Russia leverages proxy organizations:

Z-Pentest: Critical infrastructure targeting specialist NoName057(16): DDoS operations specialist Various hacktivist groups: Coordinated operations with plausible deniability

The Blowback: Targeting Russia Itself

Interestingly, Russia has also become a target of cyber operations, reversing decades of one-directional threat flow:

DarkGaboon Campaign: A financially-motivated group has spent two years targeting Russian companies with leaked LockBit 3.0 ransomware, attacking banking, retail, tourism, and public service sectors across Russia. This represents a remarkable reversal in the traditional geography of cyber threats.

U.S. Federal Court Breach: Russia's Intelligence Gathering

The Denmark attacks follow other significant Russian operations, including the breach of U.S. federal judiciary systems, where Russian hackers:

• Compromised the PACER electronic filing system
• Targeted criminal cases with Russian and Eastern European connections
• Potentially exposed confidential informant identities
• Accessed sealed case documents across multiple federal districts

This breach highlighted decades of cybersecurity neglect in critical judicial infrastructure and demonstrated Russia's focus on intelligence gathering operations that target specific individuals and cases of strategic interest.

Recommendations for Organizations

Immediate Actions

1. Review OT Security Posture: If your organization operates industrial control systems, conduct immediate security assessments focusing on remote access capabilities and network segmentation.
2. Test DDoS Resilience: Conduct realistic DDoS simulations to identify capacity limitations and mitigation gaps.
3. Update Threat Models: Incorporate state-sponsored actors into threat modeling, particularly if your organization operates in critical infrastructure sectors or nations with strong Ukraine support positions.
4. Enhance Monitoring: Implement or improve detection capabilities for unusual operational changes, particularly in OT environments.

Strategic Initiatives

1. Establish Intelligence Partnerships: Develop relationships with national cybersecurity agencies and information-sharing organizations to receive tactical threat intelligence.
2. Cross-Train Teams: Ensure IT security teams understand OT implications and vice versa, building organizational capability to respond to convergent threats.
3. Document Foreign Connections: Understand and document all technology components, vendors, and service providers with connections to adversarial nations.
4. Scenario-Based Planning: Develop incident response scenarios specifically addressing state-sponsored attacks on critical systems, including coordination with emergency services and government agencies.

Statistical Context: The 2025 Cyber Warfare Landscape

The Denmark incidents occur within a broader context of escalating cyber warfare:

Attack Volume:

• 47% year-over-year increase in weekly cyber attacks per organization (Q1 2025)
• 126% surge in ransomware incidents globally
• Record-breaking ransomware quarter with 2,063 new victims

State-Sponsored Activity:

• 39% of all major cyber-attacks attributed to state-sponsored actors
• Russia, China, and U.S. account for 61% of cyber warfare activity
• 34% increase in attacks on critical infrastructure (energy, water, transport)

Economic Impact:

• $13.1 billion estimated cost of cyber warfare damages in 2025
• 21% increase from previous year
• $10 billion in damages from NotPetya alone (2017 attack)

Law Enforcement Response: Breaking Russian Impunity

For decades, Russian cyber criminals and state-sponsored hackers operated with near-total impunity, protected by Russia's refusal to extradite citizens. However, recent developments suggest this calculus is changing:

Operation Endgame (2025): International law enforcement operation targeted major cybercrime infrastructure, resulting in over 1,000 arrests globally.

Operation Cronos (February 2024): Dismantled LockBit ransomware infrastructure, revealing the group's dishonesty (they never deleted victim data despite promises).

Alexey Lukashev Arrest (November 2025): First-ever arrest of APT28 GRU officer outside Russia, captured in Thailand. This arrest signals:

• Breaking of Russian sanctuary protection
• Real risks for traveling outside Russian borders
• Potential intelligence value beyond prosecution
• Signal of strong security cooperation between U.S. and Thailand

Operation Moonlander (2025): Dismantled 20-year botnet empire, indicting three Russian nationals and one Kazakhstani for operating proxy services built on compromised routers.

Looking Forward: The New Normal

Denmark's candid acknowledgment that it is not "at the top of cybersecurity" reflects a broader reality: no nation has perfected the defense of critical infrastructure against state-sponsored cyber operations. The attacks on Danish water utilities and election-related websites represent not anomalies but the emerging baseline of hybrid warfare.

Organizations and nations must adapt to this reality:

• Persistent Threats: State-sponsored operations will continue and likely escalate as geopolitical tensions increase.
• Expanding Targets: No sector can assume it falls outside the scope of hybrid warfare operations.
• Capability Gaps: Most organizations and many nations lack the resources to defend against state-level threats independently.
• Collective Defense: Only through coordinated international efforts, public-private partnerships, and robust information sharing can democratic nations build adequate resilience.

The Danish incidents serve as both warning and opportunity—a chance to strengthen defenses before more damaging attacks occur, and a reminder that the threat is both real and immediate.

Conclusion: The Escalating Digital Battlefield

Denmark's attribution of cyber-attacks to Russian state-connected groups represents more than a diplomatic protest—it's a stark acknowledgment that hybrid warfare has moved from theoretical concern to operational reality. The attacks on water infrastructure and election systems demonstrate Russia's willingness to target the foundational elements of democratic societies.

Key Takeaways:

1. Physical Impact is Real: The Køge water utility attack proves cyber operations can cause tangible physical damage to critical infrastructure.
2. Democratic Processes are Targets: Election-focused DDoS campaigns aim to undermine confidence in democratic institutions.
3. Defense Gaps are Significant: Even advanced European nations acknowledge inadequate cybersecurity capabilities against state-level threats.
4. Hybrid Warfare is Here: The combination of cyber-attacks, drone incursions, and information operations represents the new normal in geopolitical competition.
5. Collective Response Required: No nation can defend against these threats alone—international cooperation and information sharing are essential.

As we documented in our comprehensive 2025 cybersecurity landscape analysis, state-sponsored cyber operations now account for 39% of all major attacks, with Russia, China, and the United States collectively responsible for 61% of observed cyber warfare activity. The Denmark incidents are not isolated events but part of a broader pattern of aggressive cyber operations that will define the security landscape for years to come.

The question is no longer whether organizations will face state-sponsored cyber threats, but when—and whether they will be prepared to respond effectively.

Related Coverage on Breached.Company

Russia's APT28 Operations:

• France vs. Russia: Unmasking APT28's Cyber Espionage Campaign
• Russian GRU Officer Alexey Lukashev Arrested in Thailand
• Germany Accuses Russia of Air Traffic Control Attack
• French Interior Ministry Email Servers Breached

Russia's Broader Cyber Operations:

• Russia-Linked Cyberattack Exposes Critical Vulnerabilities in Federal Court Systems
• Three Major DDoS Attacks in July 2025 Reveal Evolving Cyber Warfare Tactics
• Digital Blowback: How Cybercriminals Are Now Targeting Russia
• Recent Global Cyberattacks: PathWiper Malware Against Ukraine

Global Threat Landscape:

• Briefing on the 2025 Cybersecurity Landscape
• Global Cybersecurity Incident Review: January–April 2025
• Threat Intelligence Report: Summer 2025 Cyber Threat Landscape
• Who's Been Getting Hacked? Major Cyberattacks in Late 2025

Law Enforcement Operations:

• Global Cybercrime Crackdown 2025: Mid-Year Assessment
• Global Cybercrime Crackdown: Major Law Enforcement Operations of 2024-2025

This analysis is based on public reporting from Danish Defence Intelligence Service (DDIS), The Guardian, and other open-source intelligence. Organizations concerned about their exposure to state-sponsored threats should consult with national cybersecurity agencies and qualified security consultants.