Pro-Russian hackers attack Danish energy sector

The attacked websites belonged to Elnet selskabet N1 (a regional distribution network operator), Energinet (a transmission system operator), and Energistyrelsen (a state agency under the Danish Ministry of Climate, Energy, and Utilities).

An attack without a pump

The attacks were not serious and did not lead to any noticeable disruption to the operators« operations. However, it should be remembered that the hackers« goal was to show the Danes that they could break into their networks and, if they wanted to, remain there unnoticed.

As Dorota Kwaśniewska from CyberDefence24 points out, the reason for the attack on the Danish cyber system was Copenhagen’s involvement in Operation Eastwood , an international operation led by Europol, carried out in July this year to break up and arrest a group of hackers known as NoName057(16).

They are considered an APT (Advanced Persistent Threat) group and have been carrying out advanced attacks targeting European countries, including Poland, for years.

As a result of the operation, several key members of the organization were arrested and equipment was secured.

”Server Killers specialize in distributed denial of service (DDoS) attacks on government servers and critical infrastructure,” says editor Kwaśniewska (CyberDefence24). In the case of Denmark, in addition to government websites, three Danish energy-related institutions were also targeted.

Check-Host.net is an online tool for checking the availability of websites, servers, hosts, and IP addresses. It provides data on the location of domains and IP addresses from several IP geolocation and whois databases. Using this tool, cybercriminals provided evidence that the websites had been »taken offline«,” adds Kwaśniewska (CyberDefence24).

As a result of a massive DDoS attack, the server was overloaded and temporarily unable to handle all requests. During this time, users received a 503 Service Unavailable message, indicating that the service was temporarily unavailable.
Dorota Kwaśniewska, CyberDefence24

E24 contacted all three Danish institutions that were exposed to the attack. After receiving the information and checking the system, Energinet spokesperson Jesper Nørskov Rasmussen „declined to comment.” Meanwhile, Elnet selskabet N1 spokesperson Frederik Schmidt declined to respond until the operator had checked the servers.

Is Copenhagen particularly vulnerable?

It is also noteworthy that so far, energy infrastructure has only been attacked in Denmark—in Germany, Belgium, Spain, and the Czech Republic, Server Killers hackers focused exclusively on public and military institutions.

Denmark is the EU country with the highest share of renewable energy in its electricity system – in 2024, wind and solar energy accounted for 58.2% and 10.7% of the country's electricity production, respectively.

The high share of renewable energy sources, which are by definition unstable, requires the coordination of many factors, which in turn increases the demand for an efficient and tightly integrated IT system. The growth of renewable energy sources is driving electrification, which in turn necessitates a high level of computerization and decentralization of the system.

The growing share of renewable energy sources has forced Denmark to change its entire power system. Like many European countries, Copenhagen started with a centralized energy system. However, everything changed after the fuel crisis of the 1970s and the decision to green the country’s energy system.In just 10 years, Denmark managed to significantly increase the share of RES in its energy mix, although initially many experts were pessimistic about the integration of the grid.

Nevertheless, Denmark achieved success. At the beginning of the 21st century, a decision was made to extensively decentralize the power system, which, thanks to high public involvement and awareness, brought the expected results. Thanks to efficient management of interconnectors and the participation of Danes in stabilizing the system, failures are rare.

Nevertheless, there are no perfect solutions. As editor Małgorzata Król pointed out in CyberDefence24, more than 10 years ago, vulnerabilities to hacker attacks in renewable energy systems were revealed – mainly in publicly accessible wind and photovoltaic farm control systems.

Unauthorized access can be used, among other things, to stop turbines, overload inverters, or cause a power failure across an entire region.
Małgorzata Król, CyberDefence24

Cyberwarfare continues and does not bypass the energy sector

Russia is not idle and, in the third year of full-scale war in Ukraine, has also decided to attack critical energy infrastructure. In August this year, the head of the Norwegian state security agency PST, Beate Gangaas , announced that the failure at the Bremanger hydroelectric power plant in April 2025 was caused by Russian hackers.

The hackers took control of the sluice gates, opening one of them. The dam began to release water uncontrollably at a rate of 500 liters per second. The fault was repaired after four hours.

Last year, we noticed a change in the tactics and activities of pro-Russian cybercriminals. Their goal is not to cause disasters right away. They focus on showing what they are capable of, thereby causing fear among the Norwegian public. Our Russian neighbor has become more dangerous.
PST Director Beate Gangaas

The aforementioned hacker group NoName057(16) (whose main members live in Russia) was also responsible for 14 attacks in Germany. „They affected around 230 organizations, including weapons factories, energy suppliers, and government organizations. Attacks also took place across Europe during the European elections,” notes the European Union Agency for Law Enforcement Cooperation.

And although, according to a report by the European Union Agency for Cybersecurity (ENISA), the energy sector accounted for only 3% of all cyberattacks in the EU in 2023-2024 and is quite well prepared, it definitely cannot rest on its laurels.

”The use of unpatched and outdated systems is considered one of the 10 biggest emerging threats in 2030. This may be particularly relevant for sectors where a large proportion of systems are outdated or ICT products have a particularly long life cycle, such as the energy and transport sectors,” emphasize ENISA experts.

Authors: Magdalena Melke, Dorota Kwaśniewska (CyberDefence)