New research from Truesec reports that a newly formed Russian hacker alliance, calling itself the Russian Legion, has issued a warning of an imminent large-scale cyberattack against Denmark, code named ‘OpDenmark.’ The alliance, led by the hacker group Cardinal and comprising The White Pulse, Russian Partizan, and Inteid, was publicly announced last week. Meanwhile, Inteid is linked to a recent DDoS attack targeting Denmark’s health portal, sundhed.dk.[1] “The first threat was published on the Russian Legion’s Telegram channel on 28 January 2026, demanding that the Danish government publicly reject the transfer of a 1.5 billion DKK military aid package to Ukraine within 48 hours,” TrueSec detailed in a 30 January post. The group stated, ‘DDoS is just the tip of the iceberg; after 48 hours, we will switch to real cyber-attacks.’
TrueSec added that since then, the Russian Legion and its members, Inteid and Cardinal, have posted screenshots of Danish company websites that have apparently been DDoS’ed. “Over the past 48 hours, Russian Legion has issued several statements claiming that Danish companies and public organizations have been targeted by DDoS attacks, with the energy sector being mentioned multiple times. According to their statements, the main cyberattack is scheduled to begin at 6 PM Moscow Time (4 PM Danish time) today.”
The researchers assess that the Russian Legion is likely state-aligned but not state-funded. “This aligns with Truesec’s broader threat intelligence, which consistently observes that geopolitical events, such as the Russian invasion of Ukraine-trigger increased cyber intrusion attempts from Russian-linked threat actors. These groups frequently engage in both psychological operations and disruptive attacks.” Historically, Russian hacker groups have used cyber sabotage and hacktivism to amplify information operations, aiming to intimidate and influence Western populations.
Recent industrial cybersecurity reporting reveals a growing and multifaceted threat landscape facing energy and critical infrastructure operators. CERT Polska detailed coordinated destructive cyberattacks on more than 30 wind, solar, and combined heat and power (CHP) facilities in Poland on 29 December 2025, where attackers used wiper malware and industrial network intrusion techniques to disrupt communications and OT (operational technology) systems, even though electricity and heat supply remained uninterrupted, underscoring persistent adversary interest in OT environments.
Independent analysis from Dragos highlights this incident as the first significant cyberattack on distributed energy resources (DERs), marking a strategic shift from centralized grid control systems to attacks against decentralized generation assets that widened the electric grid’s cyber-attack surface and resulted in loss-of-view, loss-of-control, and DoS conditions at affected sites despite no outages. Furthermore, Microsoft Defender research uncovered sophisticated, multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) campaigns targeting energy sector organizations, where attackers abused trusted SharePoint services and inbox rule manipulations to compromise accounts and propagate phishing operations, illustrating how credential and email compromise remain effective vectors for broadening access and persistence beyond OT.
Based on past incidents, TrueSec advises organizations to implement robust DDoS protection measures. Russian hacktivist groups frequently rely on DDoS attacks as a primary tactic, and their intensity has increased with the growing availability of powerful DDoS-for-hire services. Maintaining up-to-date mitigation controls, including rate limiting, geo-blocking, and dedicated DDoS protection services, can significantly reduce both the risk and operational impact of these attacks.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://industrialcyber.co/utilities-energy-power-water-waste/truesec-flags-opdenmark-cyber-threat-as-russian-legion-issues-large-scale-attack-warning-against-denmark/
Comments