On December 19, 2025, Denmark's Defence Intelligence Service made an announcement that should concern every critical infrastructure operator worldwide: pro-Russian hackers had successfully attacked a Danish water utility, remotely manipulating water pressure controls. Local officials said this led to pipe bursts affecting several dozen households. And a small waterworks serving several villages south of Copenhagen became the latest example of how state-backed cyber actors are turning operational technology systems into weapons of hybrid warfare.

This incident, attributed by researchers to the Z-Pentest hacktivist group operating on behalf of Russian state interests, represents a disturbing escalation in the targeting of water infrastructure globally. For OT security professionals and executives responsible for critical infrastructure protection, this attack offers concrete lessons about vulnerabilities, threat actor capabilities, and the urgent need for defensive measures that many organizations have yet to implement.

The Attack: What Happened in Denmark

The Tureby Alkestrup Waterworks, serving approximately 500 households in villages roughly 35 kilometers south of Copenhagen, became the target of what Danish intelligence officials described as a "destructive attack" in late 2024. Threat actors gained access to operational systems controlling water pressure and deliberately altered settings, causing at least three pipes to burst in the municipality of Køge.

Local reporting indicated several pipe bursts and temporary loss of service in parts of the Køge Municipality. While the Danish minister of resilience and preparedness, Torsten Schack Pedersen, noted that the immediate damage was limited, he emphasized the broader implications during a press conference. The attack demonstrated that adversaries possess the capability to disrupt essential services that communities depend upon.

What makes this incident particularly instructive is the candid admission from Jan Hansen, head of the affected waterworks, about how the breach occurred. The facility had switched to a less expensive cybersecurity solution that proved inadequate. His advice to other utilities is crucial: do not cut costs on cybersecurity, and consider cyber insurance as part of risk management strategy.

The Threat Actors: Understanding Z-Pentest and the Pro-Russian Hacktivist Ecosystem

Danish intelligence attributed the water utility attack to Z-Pentest, one of several pro-Russian hacktivist groups that have emerged as persistent threats to Western critical infrastructure. Understanding these groups' origins, capabilities, and operational patterns is essential for effective defense.

According to a joint advisory issued by CISA, the FBI, NSA, and international partners on December 10, 2025, Z-Pentest formed in late September 2024 when administrators from the Cyber Army of Russia Reborn (CARR) and NoName057(16) established the new group after becoming dissatisfied with support from Russian military intelligence (GRU). The group employs tactics, techniques, and procedures similar to CARR but operates with greater independence from direct state control.

Z-Pentest has distinguished itself from other pro-Russian groups by focusing specifically on OT intrusions rather than distributed denial-of-service (DDoS) attacks. The group targets critical infrastructure globally through "hack and leak" operations and defacement attacks, using compromised industrial control systems to generate media attention and advance pro-Russian messaging. This operational focus makes Z-Pentest particularly dangerous to water utilities, energy facilities, and manufacturing operations.

The Denmark attack was not an isolated incident. Z-Pentest has claimed responsibility for hundreds of cyberattacks on critical infrastructure worldwide, including attacks on U.S. drinking water systems that damaged controls and released hundreds of thousands of liters of water, as well as an attack on a Los Angeles meat processing facility that spoiled thousands of pounds of product and triggered an ammonia leak.

The December 2025 CISA advisory identified several affiliated groups operating as part of this ecosystem: NoName057(16), which conducts frequent DDoS attacks against NATO member states using proprietary DDoSia software; CARR, originally supported by GRU Unit 74455 (Sandworm); and Sector16, a newer group that emerged in January 2025 through collaboration with Z-Pentest. These groups share TTPs, coordinate attacks, and collectively represent a persistent threat to critical infrastructure operators.

The Broader Pattern: Russia's Hybrid Warfare Campaign Against European Infrastructure

The Denmark water utility attack fits into a documented pattern of Russian cyber operations targeting European critical infrastructure. Danish intelligence explicitly characterized these attacks as part of Russia's "hybrid war" against the West, intended to create instability and punish nations supporting Ukraine.

An Associated Press database has documented over 140 incidents of Russian disruption and sabotage across Europe, with the Denmark cases representing just the latest additions. Norwegian authorities blamed pro-Russian hackers for an April 2025 attack on the Bremanger dam that opened a floodgate and released water for four hours. Norwegian counter-intelligence officials assessed that the attack aimed to create fear and demonstrate capabilities rather than cause destruction, but such operations test defenses and identify vulnerabilities for potential future exploitation.

The cumulative effect of these incidents demonstrates that Russian state actors and their proxies are systematically probing Western critical infrastructure, identifying weaknesses, and building operational capabilities that could be leveraged during periods of heightened geopolitical tension.

Technical Analysis: How These Attacks Succeed

The CISA advisory provides detailed insight into how pro-Russian hacktivist groups compromise OT systems. Understanding these attack vectors is essential for implementing effective defenses.

These groups primarily exploit minimally secured, internet-facing Virtual Network Computing (VNC) connections to gain access to OT control devices. The attack methodology follows a consistent pattern: actors scan for internet-facing vulnerable devices with open VNC ports, deploy temporary virtual private servers to execute password brute-forcing software, use VNC software to access hosts and confirm connections, brute-force passwords when required, and ultimately gain access to human-machine interface (HMI) devices.

The success of these relatively unsophisticated attacks highlights a troubling reality: many critical infrastructure systems remain protected by default credentials, weak passwords, or no authentication at all. Organizations that have not implemented basic security hygiene become low-hanging fruit for threat actors seeking targets of opportunity.

CISA's assessment notes that these attacks have resulted in "varying degrees of impact, including physical damage." While the attacks have not yet caused injuries, operations against occupied factories and community facilities demonstrate a concerning disregard for human safety. The advisory warns that it is likely these and similar groups will continue to iterate and share attack methods to disrupt critical infrastructure organizations.

Key Lessons for Water Utilities and Critical Infrastructure Operators

The Denmark attack reinforces several critical lessons for organizations responsible for OT security:

Cost-cutting on cybersecurity creates existential risk. The Tureby Alkestrup Waterworks' switch to cheaper security solutions directly contributed to the successful attack. For critical infrastructure operators, cybersecurity is not an area where budget optimization should take precedence over effectiveness. The costs of a successful attack, including operational disruption, infrastructure damage, regulatory scrutiny, and reputational harm, far exceed the investment in adequate protection.

Internet-exposed OT systems remain high-value targets. The attack vectors employed by Z-Pentest and affiliated groups specifically target systems accessible from the public internet. Organizations must evaluate which OT assets require remote access and implement robust security controls for any systems that cannot be fully isolated.

Basic security hygiene prevents sophisticated attacks. These threat actors are not employing zero-day exploits or advanced persistent threat techniques. They are succeeding by finding systems with default passwords, weak authentication, and inadequate network segmentation. Implementing fundamental security controls eliminates the majority of attack vectors these groups exploit.

Small utilities are not exempt from nation-state threats. The Tureby Alkestrup Waterworks serves a relatively small population, yet it attracted the attention of state-backed threat actors. Organizations cannot assume that their size or perceived insignificance provides protection. These groups seek targets of opportunity, and any vulnerable system may be compromised to generate propaganda value or test capabilities.

The Road Ahead: Preparing for Escalation

Denmark's acknowledgment that its critical infrastructure is "not sufficiently equipped" to handle cyberattacks reflects a broader reality facing utilities and industrial operators worldwide. The threat environment continues to evolve, with state-backed actors and their proxies demonstrating both capability and intent to target Western infrastructure.

The Denmark water utility attack succeeded because it exploited common vulnerabilities that persist across the critical infrastructure landscape: internet-exposed systems, inadequate authentication, and cost-driven security decisions. Organizations that address these fundamental gaps will significantly reduce their exposure to the opportunistic attacks that characterize the current threat landscape.

However, the sophistication of these threat actors continues to increase. The alliance between Z-Pentest, CARR, NoName057(16), and Sector16 demonstrates how these groups share techniques and coordinate operations. As their capabilities mature, the potential for more destructive attacks grows. Organizations must view current defensive investments not just as protection against today's threats, but as foundation for resilience against tomorrow's more capable adversaries.

The message from Denmark is clear: the time to act on OT security is before the pipes burst.

About RubyComm:

RubyComm delivers tailored operational technology cybersecurity solutions designed specifically for the unique challenges of industrial and critical infrastructure environments faced by organizations of all sizes. Unlike one-size-fits-all security products, RubyComm addresses the specific operational constraints, legacy system challenges, and complex integration requirements that conventional off-the-shelf solutions cannot adequately address. Our approach maintains operational efficiency and business continuity while providing comprehensive protection against sophisticated OT-specific threats.

Sources:

Danish Defence Intelligence Service Statement (December 19, 2025), CISA Advisory AA25-343A: Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure , Associated Press, Euronews and BleepingComputer.