The Køge waterworks cyberattack has been linked by Denmark’s Defence Intelligence Service (Forsvarets Efterretningstjeneste, FE) to pro-Russian hacker groups with connections to the Russian state, Danish authorities said on 18 December 2025. The assessment covers a December 2024 incident at Tureby-Alkestrup Waterworks (Tureby-Alkestrup Vandværk) in Køge Municipality and denial-of-service attacks targeting public websites during Denmark’s municipal and regional elections in November.
Køge waterworks cyberattack: what Denmark says happened
According to the Danish authorities’ account, a cyberattack in December 2024 targeted the Tureby-Alkestrup Waterworks in Køge Municipality, south of Copenhagen. The incident affected water pressure in the system and led to burst pipes, temporarily disrupting supply for some customers.
At a press conference on Thursday, Defence Minister Troels Lund Poulsen said the government considers the incident part of a broader pattern of hybrid threats against Denmark and other European countries that support Ukraine.
While Danish authorities have not publicly detailed the technical indicators behind the attribution, FE said it is working with intelligence that makes it “very likely” the attack was carried out by a pro-Russian group linked to the Russian state.
FE’s attribution to Z-Pentest and NoName057(16)
FE’s assessment identifies two pro-Russian groups:
- Z-Pentest, which Danish authorities link to the Køge waterworks cyberattack in 2024.
- NoName057(16), which they link to repeated distributed denial-of-service (DDoS) attacks against websites connected to Denmark’s municipal and regional elections in November.
FE Director Thomas Ahrenkiel said the service is confident about the connection between the groups and the Russian state, describing the attacks as part of an effort to create insecurity in countries that back Ukraine.
The government’s language is notable because Denmark rarely attributes cyber incidents publicly at this level of detail. It also reflects a broader trend among European governments of naming specific actors and groups, rather than discussing cyber risks only in general terms.
Election-related DDoS attacks and what they can disrupt
The second incident described by Danish authorities concerns overload attacks that temporarily knocked websites offline ahead of November’s local and regional elections. Such attacks do not necessarily require deep access to internal systems: DDoS campaigns aim to make a service unavailable by overwhelming it with traffic.
Denmark’s voting system is largely paper-based, and the government has not indicated that the integrity of ballots was compromised. However, election-period DDoS attacks can still have real effects: they can reduce public access to official information, hinder municipal services, and erode trust in the state’s ability to keep essential digital infrastructure running.
In FE’s assessment, the elections were used as a platform to attract attention and amplify the impact of the attacks, in line with tactics observed around other European elections.
Summoning the Russian ambassador and Denmark’s diplomatic signal
Denmark’s Ministry of Foreign Affairs (Udenrigsministeriet) said it will summon the Russian ambassador in Copenhagen, Vladimir Barbin, for talks following FE’s attribution.
The move is both symbolic and practical. Diplomatically, it signals that Denmark is treating the incidents as state-linked activity rather than ordinary cybercrime. Politically, it also ties cyber resilience more directly to Denmark’s wider security posture inside NATO and the European Union.
New measures for critical infrastructure and cyber resilience
Beyond the diplomatic response, Danish authorities have pointed to new security measures focused on critical infrastructure.
In a separate government initiative announced earlier in December, Denmark set out plans to strengthen national cyber situational awareness with a new 24/7 situations centre and a dedicated cyber operations centre, alongside a broader cyber monitoring network. The overall priority is about DKK 1 billion (€134 million) over four years.
The monitoring network is expected to be built in phases from 2026 and to become fully operational by 2029, according to the outline shared by Denmark’s cyber incident response community.
What remains unclear
The Danish government has emphasised its confidence in the attribution, but public information still leaves gaps.
It remains unclear, for example, how far the attackers were able to move beyond the immediate systems they affected, and whether the incidents relied on vulnerabilities in operational technology (OT) environments, such as pumps and pressure controls at water utilities.
Authorities have also not described whether the attacks exploited third-party access, compromised credentials, or misconfigured remote interfaces—details that can be sensitive but matter for understanding how similar facilities should defend themselves.
