Denmark Cyberattack
Categories

Denmark Cyberattack Linked to Russia Raises Alarm Over National Security

A recent destructive cyberattack on Denmark’s water utility underscores a growing global threat: pro-Russian hacktivist groups are targeting critical infrastructure. Danish intelligence revealed that a group called Z-Pentest was behind the water facility breach, allegedly acting on behalf of the Russian state. Around the same time, another Kremlin-linked outfit known as NoName057(16) launched disruptive DDoS attacks against Denmark’s election-related websites.

These incidents, now confirmed by Danish authorities, serve as a stark warning that critical systems (from water plants to power grids) are in the crosshairs of politically motivated hackers. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and its international partners issued a joint advisory (Alert AA25-343A) detailing who these actors are, how they operate, and steps to defend against them. Below, we break down this advisory in plain language, explaining what is happening and how organizations can protect themselves.

Background: Rise of Pro-Russian Hacktivist Groups

Over the past few years, multiple hacktivist groups aligned with Russia’s interests have emerged. They aren’t officially part of the Russian government, but many operate with indirect state support or encouragement. These groups primarily formed after Russia’s 2022 invasion of Ukraine and have since expanded their focus to any countries perceived as supporting Ukraine.

Notable pro-Russian hacktivist groups include:

  • Cyber Army of Russia Reborn (CARR): Ostensibly a “people’s cyber army” of patriotic hackers, CARR is suspected of being set up with help from Russian military intelligence (GRU). Initially, CARR orchestrated DDoS attacks (flooding websites offline) against Western targets. By late 2023, they bragged about hacking industrial control systems. For example, CARR claimed to have accessed a European wastewater treatment plant and even tampered with operations at U.S. dairy farms. CARR’s propaganda often features flashy images or videos pushing pro-Russian narratives and exaggerating their successes.
  • NoName057(16): A hacktivist outfit created covertly under Kremlin sponsorship, known for its proprietary DDoS tool “DDoSia.” Since early 2022, NoName057(16) has relentlessly launched DDoS attacks on government and private websites across NATO countries and Europe. They coordinate via Telegram channels, even offering their DDoS tool to volunteer hackers. By 2024, NoName057(16) began teaming up with CARR on operations. At one point they jointly claimed to have hacked a U.S. industrial system. This close collaboration set the stage for new spinoff groups.
  • Z-Pentest: Formed in September 2024 as a merger of members from CARR and NoName057(16), Z-Pentest shifted focus toward intrusions into operational technology (OT), meaning the control systems for physical processes like machinery, pumps, and valves. Unlike others, Z-Pentest largely avoids simple website DDoS attacks. Instead, they seek notoriety by hacking into actual control devices and defacing or disrupting them. They often post videos of their exploits (for instance, showing a human–machine interface screen they’ve hijacked and renaming system labels to pro-Russian slogans). Z-Pentest quickly allied with its parent groups and even newer actors to amplify their message.
  • Sector16: A newcomer as of early 2025, Sector16 grew out of collaboration with Z-Pentest. They publicize their attacks (real or claimed) on U.S. energy infrastructure, often accompanied by videos and statements praising Russia. Sector16’s members appear relatively inexperienced, but their formation shows the copycat effect in action. There are hints that the Russian government might be encouraging or rewarding such groups for attacks that align with Moscow’s strategic goals, giving the state plausible deniability while still benefiting from the disruptions.

In summary, these pro-Russian hacktivists are loosely organized collections of patriotic (or financially motivated) attackers who share a common agenda of punishing countries that support Ukraine. They are not as technically skilled as official state hacking units (advanced persistent threats, or APTs), but they don’t need highly sophisticated techniques to cause trouble. Their strength lies in numbers, coordination via social media (like Telegram), and the abundance of poorly secured systems available on the internet.

Tactics: How They Breach and Deface Critical Systems

According to the joint CISA advisory, these hacktivists favor “low-hanging fruit,” meaning easy opportunities rather than complex hacks. Their attacks are opportunistic, meaning they cast a wide net for any vulnerable system instead of meticulously planning a single high-profile target. A favorite entry point is Virtual Network Computing (VNC), a remote desktop protocol that lets users control a computer (in this case, an industrial interface) over the internet. Many organizations use VNC for legitimate remote access to operations, but if it’s left exposed online with weak or default passwords, it becomes an open door for attackers.

Here is how a typical attack often unfolds:

  1. Scan for Exposed Systems: The attackers use simple scanning tools (like Nmap or online scanners) to sweep the internet for devices with VNC or other remote desktop ports open (usually port 5900). They often filter scans by country or industry sector. For example, they might specifically search for systems in NATO countries or related to water utilities, farms, and energy sites.
  2. Set Up Anonymity: Before engaging a target, the hackers hide their tracks by routing through disposable infrastructure. They might rent a cheap virtual private server (VPS) or use proxy networks and VPNs to mask their real location. This “burner” infrastructure lets them run attack tools without exposing their own machines.
  3. Attempt VNC Login: Once they find a VNC-accessible HMI (human–machine interface, essentially the screen and controls for an industrial system), they try to connect. In many cases, shockingly, these systems have no password at all or still use a well-known factory default password. The hackers maintain lists of default credentials (like “admin/admin” or other vendor defaults) and try those first.
  4. Brute-Force if Necessary: If a password is set but is weak, they run automated password-guessing tools to brute-force it. This software rapidly tries common passwords and slight variations until it hits the right one. Unfortunately, many industrial devices use credentials like “1234” or “password,” which are cracked within seconds.
  5. Gain Access to the Controls: Once logged in, the attacker can see and interact with the same interface an operator uses. Imagine a screen with diagrams of pumps, valves, and temperature gauges controlling a physical process. The hackers might not know how to operate the system properly (they’re usually not experts in industrial processes), but at this point they have free rein to poke around and see what they can manipulate.
  6. Tamper with Settings and Devices: Now the intruder looks for ways to cause mischief or disruption within the system. Common actions include:
    • Changing Display Information: Renaming devices or labels on the HMI to something political or profane (essentially digital graffiti). For example, an attacker might rename “Water Pump 3” to “Owned_by_CyberArmy” just for bragging rights.
    • Altering Setpoints or Parameters: Changing thresholds or control setpoints if possible (for instance, raising a boiler’s pressure limit or altering a chlorine dosage level). These unauthorized changes won’t always cause immediate destruction (safety interlocks often prevent truly dangerous commands), but they can disrupt operations or stress the system.
    • Disabling Alarms: Clearing or silencing alarm notifications on the interface to hide evidence of tampering or to confuse operators. This could delay the detection of a real issue.
    • Changing Passwords / Locking Operators Out: In some cases, the hacker will change the HMI’s login credentials, effectively locking out the legitimate operators. This causes a “loss of view” for the staff. In other words, plant personnel can no longer monitor or control the process remotely until they visit the site to reset the system.
    • Shutting Down or Rebooting Devices: Attempting to shut down the controller or reboot the HMI computer. Whether the attacker succeeds or the operators preemptively shut things down to regain control, the outcome is unplanned downtime and a need to manually restart or restore systems.
  7. Document and Disconnect: Throughout the attack, the hacktivists often record video or take screenshots of the HMI screens. After a few minutes of wreaking havoc, they disconnect. They then quickly post about their “achievement” on Telegram or other social media (usually with those screenshots or videos) to brag about compromising a critical facility.
  8. DDoS as a Smokescreen (Optional): Sometimes these groups also unleash a Distributed Denial-of-Service (DDoS) attack against the victim’s public-facing websites or network, either simultaneously with the intrusion or shortly after. This flood of internet traffic can slow down or knock offline the company’s website or office network. The DDoS acts as a smokescreen to distract IT staff or to amplify the perceived impact of the attack (for example, the public sees the website down while the plant control system was being compromised).

None of these tactics are very advanced. Typically, there is no custom malware or deep stealth involved. The hackers’ success hinges on the unfortunate prevalence of lax security, such as internet-exposed control systems and default passwords. In essence, the attackers are testing doors across the internet and finding many left unlocked. Once inside, their behavior is closer to vandalism than a sophisticated nation-state operation. However, even reckless tinkering with industrial systems can have serious consequences, as real incidents have shown.

Real Incidents and Impact: Disruptions, Damage, and Safety Risks

So far, pro-Russian hacktivist attacks have caused localized disruptions and minor damage, but they carry the potential for far worse outcomes. Notable examples include:

  • Denmark’s Water Facility Breach (2025): A cyberattack on a Danish water treatment plant was described by officials as “destructive and disruptive,” suggesting the hackers did more than just poke around. They may have manipulated valves or chemical dosing controls, causing a process upset or equipment damage. Even if water quality wasn’t harmed, the utility had to scramble to regain control, restore safe settings, and manage downtime. Alongside the election-related DDoS attacks, this incident prompted Denmark’s defense minister to condemn Russia’s “hybrid war” tactics and summon the Russian ambassador in protest. It underscores that no country (even those far from the Ukraine conflict) is off-limits as a target.
  • U.S. Dairy Farm Intrusions (2023): In late 2023, several dairy farming operations in the United States had their automated milking or feeding systems hacked. The group CARR claimed responsibility, posting screenshots from the farms’ control interfaces. Practical damage was limited (perhaps just a brief halt in operations while systems were reset), but it proved that even agricultural facilities are within scope. For the farmers, just a few hours of downtime can spoil products or stress livestock, leading to significant financial losses.
  • European Wastewater Plant Hack (2023): CARR also boasted about infiltrating a wastewater treatment plant in Europe. Tampering with wastewater processing could lead to environmental contamination or regulatory violations if not quickly caught. Fortunately, no public harm was reported. The facility likely had to switch to manual operations until the system was secured. This incident highlighted vulnerabilities in even smaller municipal utilities.
  • Norwegian Dam Incident (2023): In one alarming case, hackers believed to be pro-Russian managed to access control systems at a hydroelectric dam in Norway. They manipulated the dam’s outflow valves, an action that could have led to uncontrolled water release and flooding downstream. Luckily, catastrophe was averted and no injuries occurred. Still, the event shows very real physical dangers. Systems like dams, power grids, and pipelines can have life-or-death consequences if misused.

Across these incidents, the most common immediate impact was a temporary loss of remote visibility or control. Operators suddenly found their HMIs unresponsive or themselves locked out of the controls. In response, they had to dispatch personnel on-site to manually operate equipment (an inefficient and costly stopgap). Recovering normal operations often required wiping or reprogramming affected devices, changing all passwords, and tightening network access. For example, one U.S. company had to bring in an outside control systems engineer for a week to rebuild their PLC (programmable logic controller) configurations after an attack. It was an expensive but necessary recovery process.

Even short disruptions can have serious ripple effects. If a pipeline compressor station goes offline unexpectedly, gas pressure can drop and impact downstream customers. If a food processing plant’s pasteurizer is halted, a whole batch of product may spoil. These kinds of upsets can easily tally tens of thousands of dollars in losses, not to mention safety hazards or environmental damage in some cases.

The safety risks are especially concerning. These hacktivists have shown no regard for operational safety. They target live systems and blindly change settings, which is extremely dangerous. Disabling alarms or altering critical setpoints without understanding the process could lead to equipment failure or create hazardous conditions for workers and communities. So far, we’ve been lucky that no accidents or injuries have been directly tied to these incidents. But the attackers’ combination of ignorance and recklessness means it may only be a matter of time before a cyber incident causes a real-world safety event.

Unlike professional state-sponsored hackers who often avoid causing immediate physical harm, these hacktivist actors seem unconcerned about potential real-world consequences. Their motive is to embarrass and disrupt, not to operate the system safely. This makes them unpredictable and particularly dangerous to critical infrastructure.

Overall, the damage from these attacks has ranged from minor nuisances to significant disruptions. And there is a legitimate fear that as these groups get bolder or learn more, they could inadvertently (or deliberately) trigger a disaster. That is why cybersecurity authorities are warning operators to take action and bolster their defenses now.

How to Defend Against These Attacks

The encouraging news is that because these hackers rely on basic tactics, basic cybersecurity measures can be very effective at stopping them. The joint advisory from CISA and its partners outlines steps organizations should take. Here is a breakdown of the key defenses for both asset owners and the manufacturers of industrial equipment:

For Critical Infrastructure Operators (Asset Owners)

  • Minimize Internet Exposure: Keep operational technology systems off the public internet as much as possible. If a control system doesn’t need internet access, ensure it isn’t accessible from outside your network. Use secure VPNs and strict firewall rules for any remote connectivity that is necessary. Adopting a “default deny” stance (block all inbound traffic by default, only allow what’s explicitly needed) can significantly reduce risk.
  • Network Segmentation and DMZs: Separate your control networks from your business networks. Use network segmentation and demilitarized zones (DMZs) to create a buffer between the corporate IT environment and the OT environment. That way, even if an office computer is compromised, the attacker can’t directly hop into the control systems. If data needs to be shared between IT and OT, do it through a secure gateway or data diode in the DMZ, with careful monitoring.
  • Strong Authentication: Protect all accounts on control systems with unique, strong passwords, and remove or change any default logins immediately. Enable multi-factor authentication (MFA) for remote access and any critical system accounts. This means that even if an attacker cracks or steals a password, they still cannot get in without that second factor (like a temporary code or physical token). It drastically lowers the chance of unauthorized access.
  • Harden Remote Access Tools: If you use remote desktop or control software (such as VNC, RDP, or similar) for your operations, lock it down. Always run the latest patched versions of these tools. Turn off features or services you don’t use. Ideally, require that remote access be activated only when needed (for example, have it normally disabled and enable it only during maintenance windows). Monitor all remote access: keep logs of who connects and when, and set up alerts for any unusual activity (like connections from unrecognized IP addresses or at odd hours).
  • Asset Inventory and Patching: Maintain an up-to-date inventory of your OT devices and software, including details like their network addresses and software/firmware versions. This inventory will help you quickly identify which systems might be affected when new vulnerabilities are announced. Regularly apply security patches and updates to your control systems as they become available (following vendor guidance and testing to ensure updates don’t disrupt operations). If certain systems cannot be patched quickly, implement additional protections around them, such as stricter network rules or extra monitoring.
  • Allowlisting and Network Controls: Implement network allowlisting (whitelisting) so that control system devices only accept connections from known, trusted systems. For instance, if only the engineering workstation should talk to a PLC, then block all other devices from communicating with that PLC. Use firewalls or router ACLs to enforce these rules. This limits what an attacker can do if they do get into your network, because they’ll find it hard to reach systems that aren’t explicitly permitted to talk to each other.
  • Least Privilege and Account Security: Give each user account only the access that person needs, and nothing more. Operators, engineers, and technicians should have separate accounts with roles tailored to their job functions. Do not use shared accounts if possible. Regularly audit accounts and remove any that are not needed (for example, disable accounts of former employees or contractors who no longer require access). By limiting privileges, even if an attacker steals one account, they won’t have free rein over the system.
  • Incident Response Plan (with Manual Operations): Prepare a cyber incident response plan that covers scenarios like losing control of your OT systems. This plan should detail how to isolate affected systems, how to safely shut down processes if needed, and how to communicate with incident responders and authorities. Include contingencies for running critical processes manually: make sure valves can be turned by hand, overrides are accessible, and staff are trained to manage without the computer systems temporarily. Also ensure you have recent backups of all critical configuration data (stored securely offline) and practice restoring from those backups. Time spent on drills and tabletop exercises will pay off in a crisis.
  • Continuous Monitoring and Detection: Deploy tools to continuously monitor your control networks for suspicious activity. Industrial-specific intrusion detection systems (IDS) can watch for unusual commands or devices on the network. Even a simple network monitoring setup can flag anomalies, like a new computer scanning your PLCs or multiple failed login attempts on an HMI. Ensure that logs from control systems, firewalls, and remote access tools are aggregated and reviewed regularly. Early detection of an intruder can prevent a minor incident from becoming a major disaster.

For Industrial Control System Manufacturers

  • Eliminate Default Credentials: Design products so that there are no universal default usernames or passwords that ship with the equipment. If a default account is necessary for initial setup, force the user to change it on first login or provide a unique password for each device. Default credentials are commonly known (often even posted online), making them a huge security risk.
  • Enable Multi-Factor Authentication: Build support for MFA into your devices and software, especially for remote access and critical actions. For example, a control system management console should allow operators to enable MFA for logging in or for applying firmware updates. By providing this capability, you empower customers to add an extra layer of defense.
  • Secure-by-Default Settings: Ship devices in a secure configuration by default. Only open the network ports and services that are absolutely necessary for the device’s function, and have everything else disabled. Require encrypted connections (e.g. SSH instead of Telnet, HTTPS instead of HTTP) and modern authentication out of the box. The installation process should encourage secure setup. For instance, a setup wizard might guide the installer to create strong passwords and enable network restrictions, rather than leaving everything open.
  • Built-in Logging and Alerts: Include comprehensive logging features that are active by default. The system should log security-relevant events like login attempts, configuration changes, and network connections. Make these logs easily exportable so operators can integrate them with their security monitoring. If possible, build in basic alerting as well, for example, an alarm if someone attempts too many incorrect logins or if a critical setting is changed. These features help users detect and respond to attacks more quickly.
  • Provide an SBOM: Supply a Software Bill of Materials for your products. An SBOM lists the components (operating system, libraries, open-source software, etc.) that your device’s software relies on. This transparency means that when vulnerabilities are discovered in common components, your customers can quickly determine if their systems are affected and need updates. Providing an SBOM shows that you take ongoing security maintenance seriously.
  • Secure Development Lifecycle: Follow a secure development process. Conduct thorough security testing (such as threat modeling, code reviews, and penetration testing) before release. Offer a way for researchers and users to report vulnerabilities (a disclosure program), and commit to timely patches when issues are found. By prioritizing security during development and maintenance, manufacturers make their products far more resilient against the kinds of opportunistic attacks described above.

By taking these steps, manufacturers can ensure their products are not the weak link in an otherwise secure infrastructure. Many of these recommendations mirror CISA’s Secure by Design principles, which encourage building security into products from the ground up rather than leaving it all to the end user.

The recent water facility hack in Denmark and similar incidents elsewhere should be a wake-up call for everyone involved in critical infrastructure. Pro-Russian hacktivists might be unsophisticated, but they are actively looking for easy targets and will exploit any gaps in security. For operators of vital systems, the takeaway is clear: strengthen your cyber defenses now, not after an incident happens.

This threat is global, and no region or sector can assume immunity. That’s why cybersecurity agencies worldwide are sharing information and guidance (like advisory AA25-343A) to help organizations understand and counter these attacks. By implementing the measures outlined above, companies can drastically reduce the chance that they’ll become the next victim. At the same time, when manufacturers deliver products that are secure by default, it raises the security baseline across the board, leaving fewer weak points for attackers to hit.

In the end, protecting critical infrastructure from these hacktivist attacks is about staying resilient in a new era of hybrid warfare. Systems that provide us with water, power, food, and transportation are now on the digital front lines. The hackers behind these incidents are willing to put public safety in jeopardy to make a political point. It falls on the defenders (the facility operators, security teams, and industry partners) to stay ahead of the threat. With solid basic cybersecurity practices, vigilant monitoring, and a proactive mindset, even these opportunistic hackers can be thwarted. The incidents in Denmark and beyond underscore the urgency, but by taking action now, organizations can blunt the impact of hacktivist threats and keep their essential services running safely.

Written by

Sean Doyle

Sean is a tech author and security researcher with more than 20 years of experience in cybersecurity, privacy, malware analysis, analytics, and online marketing. He focuses on clear reporting, deep technical investigation, and practical guidance that helps readers stay safe in a fast-moving digital landscape. His work continues to appear in respected publications, including articles written for Private Internet Access. Through Botcrawl and his ongoing cybersecurity coverage, Sean provides trusted insights on data breaches, malware threats, and online safety for individuals and businesses worldwide.

More Reading

Post navigation

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.