Denmark Blames Russia for Destructive Cyberattack That Burst Water Pipes

Denmark has publicly accused Russia of orchestrating a destructive cyberattack against a water utility that manipulated pump pressure and burst multiple pipes, leaving customers without water. The Danish government announced it would summon the Russian ambassador, marking one of the most direct attributions of critical infrastructure sabotage to Russian state-linked actors.

TL;DR

• What happened: Pro-Russian Z-Pentest hackers compromised a Danish water utility, altered pump pressure, and burst three water pipes
• Who's affected: Residents near Køge, Denmark (35km south of Copenhagen) lost water service
• Severity: High - physical infrastructure damage from cyberattack demonstrates kinetic impact capability
• Action required: Critical infrastructure operators should review OT security controls, particularly internet-exposed assets

What Happened in Denmark?

The Danish Defence Intelligence Service (DDIS) revealed on December 18, 2025 that pro-Russian hacktivist group Z-Pentest conducted a destructive cyberattack against a water utility in Køge in December 2024. The attackers gained control of the waterworks and manipulated the pressure in the pumps, resulting in three burst pipes.

The attack left several customers in the area—approximately 35 kilometers south of Copenhagen—without water service. While the immediate impact was localized, the incident demonstrated that hacktivists can achieve physical-world consequences through cyber means.

"It is completely unacceptable that hybrid attacks are carried out in Denmark by the Russian side," stated Danish Defence Minister Troels Lund Poulsen.

Russian Groups Identified

The DDIS named two Russian hacktivist groups with assessed links to the Russian state:

Z-Pentest

Formed in September 2024 from former members of CARR (Cyber Army of Russia Reborn) and NoName057(16), Z-Pentest specializes in operational technology intrusions and "hack and leak" operations. The group was responsible for the destructive water utility attack.

Z-Pentest has demonstrated capability to access and manipulate SCADA systems controlling physical infrastructure—a significant escalation from traditional hacktivist activities like website defacement or DDoS attacks.

NoName057(16)

Reportedly created by the Kremlin-affiliated "Center for the Study and Network Monitoring of the Youth Environment," NoName057(16) has been active since March 2022. The DDIS attributed a series of DDoS attacks against Danish websites in the run-up to the November 2025 municipal and regional council elections to this group.

Why This Matters

The Denmark water utility attack represents a troubling escalation in hacktivist capabilities. While pro-Russia hacktivist groups have previously focused on nuisance-level disruptions, the Køge incident demonstrates their ability to cause physical damage to critical infrastructure.

The DDIS assessment explicitly states that both groups "have links to the Russian state" and that the attacks were part of Russia's "hybrid war" against the West—an attempt to "create instability" and "undermine and punish countries which support Ukraine."

Denmark has consistently supported Ukraine since Russia's February 2022 invasion, providing military equipment and substantial financial assistance. The cyberattacks appear designed as retaliation for this support.

Regional Pattern

Similar attacks have occurred across NATO allies:

• Norway (August 2025): Dam valve sabotage incident
• Poland, Czech Republic, Germany: Multiple hacktivist operations targeting government websites
• United States: CISA advisory AA25-343A warned of pro-Russia hacktivist attacks on water and energy infrastructure

How Weak Security Enabled the Attack

The Danish Centre for Cyber Security (CFCS) assessed that "weak security measures were the reason why a Danish water utility plant fell victim to a cyber attack." The incident aligns with patterns documented in CISA's December 10 joint advisory, which noted that pro-Russia hacktivists exploit:

• Internet-exposed virtual network computing (VNC) connections
• Default or weak credentials on operational technology systems
• Lack of network segmentation between IT and OT environments
• Minimally secured SCADA interfaces

Recommended Mitigations

1. Reduce OT exposure - Remove operational technology assets from public-facing internet where possible
2. Segment networks - Implement strict separation between IT and OT environments
3. Strengthen authentication - Replace default credentials and implement multi-factor authentication on all remote access
4. Monitor OT networks - Deploy monitoring solutions capable of detecting anomalous commands to industrial control systems
5. Review remote access - Audit all VNC, RDP, and other remote access configurations

Frequently Asked Questions

Could this type of attack happen to US water utilities? Yes. CISA's December 2025 advisory specifically warned that pro-Russia hacktivists are actively targeting US water, energy, and food production facilities using similar techniques. Several US water utilities have already experienced intrusions.

What makes water utilities vulnerable? Many water utilities operate aging SCADA systems with limited security controls, rely on remote access for distributed pump stations, and lack dedicated cybersecurity staff. Budget constraints often prevent necessary security upgrades.

What is Denmark doing in response? Beyond summoning the Russian ambassador, Denmark is sharing threat intelligence with allies and reviewing security postures at critical infrastructure facilities. The government has emphasized that such "hybrid attacks" are "completely unacceptable."

---

Sources: BleepingComputer, The Local Denmark, Infosecurity Magazine