Danish authorities have formally attributed multiple cyberattacks in 2024 and 2025 to Russia, including disruptive operations against a water utility and denial-of-service attacks targeting public websites ahead of local elections. Newly disclosed details suggest these incidents were part of a broader, coordinated campaign intended to undermine stability and test societal resilience in countries supporting Ukraine. While the immediate damage was limited, officials warn the attacks highlight structural weaknesses in critical infrastructure protection.

Since Russia’s full-scale invasion of Ukraine in 2022, Western intelligence agencies have warned of a sustained “hybrid warfare” campaign combining cyber operations, disinformation, sabotage, and political interference. These activities aim to punish countries backing Kyiv, strain public trust, and probe vulnerabilities across Europe’s digital and physical systems.

Denmark’s Defense Intelligence Service revealed that Russian-linked threat actors conducted previously undisclosed cyber operations against Danish targets. In 2024, a cyberattack disrupted a water utility near Køge, south of Copenhagen, resulting in abnormal water pressure and burst pipes that temporarily cut service to residents.

In November 2025, Danish authorities detected a wave of distributed denial-of-service (DDoS) attacks against government and public-facing websites shortly before regional and local elections. The timing suggested an intent to interfere with democratic processes rather than cause long-term technical damage.

The intelligence service attributed the water utility attack to a pro-Russian group known as Z-Pentest. The operation reportedly interfered with operational systems, affecting pressure controls rather than exfiltrating data. Such attacks demonstrate how cyber intrusions can translate directly into physical consequences.

The election-related disruptions were linked to NoName057(16), a group known for DDoS campaigns against Western institutions. These attacks rely on overwhelming web infrastructure with traffic, rendering services temporarily unavailable without breaching internal systems.

Danish officials assess that both groups maintain ties to Russian state interests and are used as proxies in broader strategic operations.

While no long-term outages or systemic failures were reported, the incidents had tangible real-world effects, including water service interruptions and election-related disruptions. Officials emphasized that even short-lived incidents can erode public confidence and consume emergency response resources.

The Danish government acknowledged that current defenses may be insufficient to counter increasingly sophisticated hybrid threats targeting critical infrastructure.

These cases underscore how cyber operations are increasingly designed to create physical disruption and psychological impact, not just data loss. They also illustrate how election infrastructure and essential services remain attractive targets during periods of heightened political sensitivity.

Across Europe, similar incidents suggest a coordinated effort to identify weak points and normalize low-level disruption as a strategic tool.

Danish Minister for Resilience and Preparedness Torsten Schack Pedersen warned that the attacks demonstrate the ability of hostile actors to disrupt “important parts of our society,” calling for stronger preparedness and resilience measures.

Western intelligence agencies increasingly view such incidents as rehearsal operations, refining tactics while avoiding escalation.