Cyber Incident Victim: Danish Ministry of Defence
Date:
Jan 2015
Location:
Denmark
Summary
A Russian state-linked cyberespionage operation breached the Danish defense ministry, compromising employee emails and accessing non-classified documents over a two-year period. The intrusion, attributed to the APT28 group (also known as Fancy Bear), exploited insufficient email security protections for unclassified communications, which were subsequently strengthened. Denmark's foreign minister publicly implicated Russian intelligence services or government elements in the campaign, aligning with broader Western accusations of Russian cyber operations targeting governmental entities. The incident occurred amid heightened regional tensions, including Denmark's expressed concerns over Russian military posturing in the Baltic.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between 2015 and 2016, the Danish Ministry of Defense experienced a sustained cyber espionage campaign attributed to Russian state-linked actors. According to Denmark’s Defense Minister Claus Hjort Frederiksen, hackers infiltrated the email accounts of defense employees, accessing non-classified documents over a two-year period. The Danish Defense Intelligence Service’s cybersecurity unit confirmed unauthorized access by a foreign entity but did not publicly identify the responsible nation in its initial report. Frederiksen explicitly attributed the attack to Russia during an interview with Berlingske newspaper, stating the operation originated from Russian intelligence services or central government elements. The intrusion exploited insufficient security measures surrounding email systems handling non-sensitive material, a vulnerability later addressed through security upgrades. The minister characterized the incident as part of an ongoing struggle to repel Russian cyber operations against Danish infrastructure.
The hacking group APT28, also known as Fancy Bear, was identified as the perpetrator. This group had previously been implicated in breaching U.S. Democratic Party emails during the 2016 election cycle. While the Danish Defense Ministry confirmed the accuracy of Frederiksen’s statements, it declined further elaboration at the time of reporting. The incident occurred amid broader Western allegations of Russian cyber interference, including U.S., French, and British accusations of election meddling—all denied by Moscow. Geopolitical tensions were further heightened by Danish concerns over Russian missile deployments in the Baltic region, which Frederiksen cited in January 2017 as justification for planned increases in Denmark’s military spending. No operational disruptions or classified data compromises were reported, but the breach underscored vulnerabilities in non-classified communication channels. Russia’s government did not respond to requests for comment on the allegations.