Cyber Incident Victim: Denmark
Date:
Feb 2023
Location:
Denmark
Summary
Danish hospitals experienced distributed-denial-of-service (DDoS) attacks attributed to the group Anonymous Sudan, causing temporary website outages that disrupted access but left medical operations unaffected. The attackers claimed retaliation for Quran burnings in Stockholm by a Danish-Swedish activist, though cybersecurity analysts assessed the group is likely part of a Russian information operation aimed at undermining Sweden’s NATO bid, noting its infrastructure involved paid servers hosted in Germany rather than typical botnets. Anonymous Sudan previously targeted Scandinavian Airlines and a Swedish broadcaster, with Microsoft security personnel observing coordinated Russian media amplification suggesting premeditated exploitation of the Quran burning incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 26, 2023, nine hospital websites in Denmark became inaccessible following distributed-denial-of-service (DDoS) attacks attributed to the group Anonymous Sudan. Copenhagen’s health authority confirmed via Twitter that the attacks disrupted public access to hospital websites but clarified that medical operations at the affected facilities remained fully functional. The websites were restored to normal operation after being offline for several hours. Anonymous Sudan publicly claimed responsibility for the attack on Telegram, citing retaliation against Denmark for Quran burnings—specifically referencing an incident in Stockholm involving Rasmus Paludan, a Danish-Swedish far-right activist who burned the Islamic holy book outside the Turkish embassy. The group’s messaging included confrontational responses to critics, dismissing concerns about targeting hospitals by stating patients were not exempt from accountability for the Quran burning.
Technical analysis by Swedish cybersecurity firm Truesec, published prior to the hospital attacks, identified Anonymous Sudan as a likely Russian information operation rather than an authentic hacktivist collective. Telemetry indicated the group’s Telegram account was registered in Russia, and its DDoS infrastructure relied on 61 paid servers hosted by IBM/Softlayer in Germany, rather than compromised devices typically associated with botnets. Traffic from these servers was routed through open proxies to obscure its origin. Truesec concluded the operation was preplanned and funded, noting the server expenses suggested organizational backing but not necessarily state sponsorship. Following Truesec’s report, the German servers were terminated, prompting Anonymous Sudan to criticize the firm’s founder on Telegram and announce a shift toward using traditional botnets for future attacks. The group had previously claimed DDoS attacks against Scandinavian Airlines and Swedish broadcaster SVT in early 2023. Microsoft’s Swedish national security officer Sandra Barouta Elvin observed that Russian media’s extensive coverage of the Quran burning and the rapid response by entities like Anonymous Sudan indicated preparatory measures were in place before the incident in Stockholm occurred.