Cyber Incident Victim: Tureby Alkestrup Waterworks
Date:
Nov 2025
Location:
Denmark
Summary
Russian state-linked hackers conducted a destructive cyberattack against a Danish water utility, Tureby Alkestrup Waterworks. The attackers manipulated water pressure controls, causing pipes to burst and disrupting water supply to hundreds of households for several hours. This incident was attributed to the pro-Russian group Z-Pentest acting as an instrument of Russia's hybrid warfare campaign against countries supporting Ukraine, aiming to create instability and inflict punishment. The attack demonstrated vulnerabilities in critical infrastructure security and was part of a broader pattern of Russian cyber operations targeting Western nations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In 2024, the Tureby Alkestrup Waterworks, located southwest of Copenhagen and serving several villages approximately 35 kilometers south of the capital, suffered a destructive cyberattack. Pro-Russian hacking group Z-Pentest, identified by Danish authorities as having links to the Russian state, executed the attack. The attackers successfully altered the water pressure settings within the utility's systems. This unauthorized manipulation caused a pipe to burst. The immediate consequence was a disruption to water supply for customers. Approximately 50 households experienced a water outage lasting around seven hours, while an additional 450 houses were without water for approximately one hour. Jan Hansen, the head of the waterworks, stated that the breach occurred because the utility had switched to cheaper cybersecurity measures, which proved insufficiently secure compared to previous protections. Hansen advised other companies against cutting cybersecurity costs and recommended obtaining cyber insurance.
The Danish Defense Intelligence Service publicly attributed the attack to Russia in December 2025, linking it to a broader campaign of Russian cyber aggression against Western nations supporting Ukraine. The intelligence service characterized the attack as part of Russia's "hybrid war" aimed at creating instability and punishing countries backing Ukraine. This incident was cited alongside a separate November 2025 denial-of-service attack by another group, NoName057(16), also linked to Russia, which targeted Danish websites ahead of regional and local elections. Torsten Schack Pedersen, Denmarkâs minister of resilience and preparedness, acknowledged that while the physical damage from the waterworks attack was limited, it had serious ramifications. Pedersen stated the attack demonstrated forces capable of shutting down vital societal infrastructure and revealed that Denmark was not adequately equipped to handle such cyber incidents. The attack was included in an Associated Press database documenting 147 incidents attributed to Russia's campaign of sabotage and disruption across Europe since the invasion of Ukraine.