Cyber Incident Victim: Denmark's Centre for Cyber Security
Date:
Jan 2023
Location:
Denmark
Summary
Pro-Russian hacking groups, including Killnet and NoName057, conducted distributed denial-of-service (DDoS) attacks targeting critical infrastructure in Denmark and the U.S., prompting Denmark's Centre for Cyber Security to raise its national cyber threat level. The attacks disrupted websites of banks, defense ministries, hospitals, and government offices, with the Centre's own site being knocked offline. These incidents, linked to geopolitical tensions over military aid to Ukraine, exploited misconfigured routers and IoT devices to overwhelm systems. U.S. authorities warned that such attacks could mask more severe threats like ransomware or data theft, noting increased DDoS extortion tactics across Europe. The groups leveraged public platforms like Telegram to recruit members and amplify their disruptive capabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late January 2023, Denmark's Centre for Cyber Security (CFCS) elevated the national cyber threat level following sustained distributed denial-of-service (DDoS) attacks by pro-Russian hacking groups targeting critical infrastructure and government entities. The CFCS cited heightened activity from these groups against NATO member states, including Denmark, alongside their demonstrated capacity escalation as primary reasons for the alert increase. Attacks had persisted for weeks prior, impacting Danish banks and the Defense Ministry’s digital services. On January 31, immediately after CFCS publicly announced the heightened threat status via Twitter, its official website became inaccessible due to a DDoS attack, preventing access to the agency’s security advisory. These incidents coincided with broader offensive campaigns against U.S. and European targets, including a January 30 wave of DDoS attacks disrupting dozens of American hospital websites, which prompted the U.S. Department of Health and Human Services (HHS) to issue warnings about potential follow-on ransomware or extortion attempts. The timing aligned with geopolitical developments, including U.S. and German military aid commitments to Ukraine, which pro-Russian groups like Killnet and NoName057 referenced as motivation.
The attackers primarily exploited misconfigured MikroTik routers and vulnerable Internet of Things (IoT) devices globally to amplify DDoS traffic, overwhelming targets with excessive page requests. Killnet operated public Telegram channels with over 92,000 subscribers to recruit members and disseminate DDoS techniques, enhancing their operational scale. While DDoS attacks typically caused temporary outages rather than permanent damage, the CFCS noted increasing attack potency and frequency, with Akamai reporting a 73% rise in European DDoS incidents during 2022, often paired with extortion demands. U.S. authorities had disrupted some attack infrastructure in December 2022 by seizing 48 domains linked to DDoS-for-hire services, though HHS assessed uncertainty regarding the impact on Killnet’s operations. Service disruptions spanned hours to days, impairing public access to critical health, financial, and governmental platforms. The CFCS’s own incapacitation during the threat-level announcement underscored the operational challenges posed by these attacks, which leveraged globally distributed botnets of compromised devices.