CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Russian Actors Target Water Systems in Norway, Poland, Denmark, and Romania

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

Russian state-sponsored actors have targeted water systems in Norway, Poland, and Denmark, exploiting vulnerabilities in critical infrastructure. On August 13, Norway's counter-intelligence agency attributed an April attack on a dam to Russian hackers, who opened a flood gate, releasing 500 liters of water per second for about four hours. The attack demonstrated the potential for water systems to be used as geopolitical pawns. Poland also reported a similar attack on a large city's water supply, which could have been shut down. In December 2025, Danish intelligence officials blamed Russia for orchestrating cyberattacks against Denmark's critical infrastructure, including a destructive attack on a water utility. Two Russian groups, Z-Pentest and NoName057(16), were identified as operating on behalf of the Russian state. The attacks are part of a broader influence campaign intended to undermine Western support for Ukraine. In a separate incident, Romanian Waters, the country's water management authority, was hit by a ransomware attack over the weekend. The incident impacted approximately 1,000 computer systems at the national water authority and 10 of its 11 regional offices. The attackers used the built-in Windows BitLocker security feature to lock files on compromised systems, then left a ransom note demanding that they be contacted within 7 days. The investigation is ongoing, and no attribution has been made yet. The incidents highlight the increasing focus of nation-state actors on water utilities, which are often underfunded and lack robust security measures. This trend is part of a broader pattern of cyberattacks on critical infrastructure, with significant implications for national security and public safety.

Timeline

  1. 22.12.2025 17:25 1 articles · 23h ago

    Romanian Waters Hit by Ransomware Attack

    Romanian Waters, the country's water management authority, was hit by a ransomware attack over the weekend. The incident impacted approximately 1,000 computer systems at the national water authority and 10 of its 11 regional offices. The attackers used the built-in Windows BitLocker security feature to lock files on compromised systems, then left a ransom note demanding that they be contacted within 7 days. The investigation is ongoing, and no attribution has been made yet.

    Show sources
    Open in new tab
  2. 19.12.2025 14:28 3 articles · 4d ago

    Denmark Blames Russia for Cyberattacks on Water Utility

    Danish intelligence officials blamed Russia for orchestrating cyberattacks against Denmark's critical infrastructure, including a destructive attack on a water utility. Two Russian groups, Z-Pentest and NoName057(16), were identified as operating on behalf of the Russian state. The attacks are part of a broader influence campaign intended to undermine Western support for Ukraine. The Danish Defence Intelligence Service (DDIS) assessed that Russian hacktivists were behind a destructive cyber-attack on a Danish water utility in 2024. Russian threat actors were also blamed for a series of distributed denial-of-service (DDoS) attacks on Danish websites in the run-up to the 2025 municipal and regional council elections. The DDIS named the pro-Russian hacktivist groups Z-Pentest as the authors of the destructive attack on the water utility in 2024 and said NoName057(16) was behind the series of DDoS attacks in 2025. In early December, together with the FBI, NSA, European Cybercrime Centre (EC3), and various other cybersecurity and law enforcement agencies worldwide, CISA warned that pro-Russia hacktivist groups, including Z-Pentest, Sector16, NoName, and CARR (Cyber Army of Russia Reborn), are targeting critical infrastructure organizations worldwide.

    Show sources
    Open in new tab
  3. 15.08.2025 16:00 3 articles · 4mo ago

    Russian Actors Target Water Systems in Norway and Poland

    On August 13, 2025, Norway's counter-intelligence agency attributed an April attack on a dam to Russian hackers, who opened a flood gate, releasing 500 liters of water per second for about four hours. The attack demonstrated the potential for water systems to be used as geopolitical pawns. Poland also reported a similar attack on a large city's water supply, which could have been shut down. In December 2025, Danish intelligence officials blamed Russia for orchestrating cyberattacks against Denmark's critical infrastructure, including a destructive attack on a water utility. Two Russian groups, Z-Pentest and NoName057(16), were identified as operating on behalf of the Russian state. The attacks are part of a broader influence campaign intended to undermine Western support for Ukraine.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Pro-Russia Hacktivists Target Critical Infrastructure with Low-Sophistication Attacks

Pro-Russia hacktivist groups are conducting opportunistic, low-sophistication cyberattacks against U.S. and global critical infrastructure. These attacks target a wide range of sectors, including water treatment facilities, food production, and energy systems, using easily repeatable methods. The groups exploit minimally secured, internet-facing virtual network computing (VNC) connections to gain unauthorized access to operational technology (OT) control devices. The joint advisory from CISA, FBI, NSA, and global partners urges immediate action to mitigate these threats. The advisory highlights the use of basic methods to target supervisory control and data acquisition (SCADA) networks, sometimes combined with DDoS attacks. The cumulative impact of these activities poses a persistent and disruptive threat to essential services. According to a new report, groups such as Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 are using simple reconnaissance tools and common password-guessing techniques to reach internet-facing human-machine interfaces. These groups have led to physical impacts in some cases, including temporary loss of view and costly manual recovery efforts.

Open in new tab

INC Ransom Gang Disrupts OnSolve CodeRED Emergency Alert Platform

The INC Ransom gang has disrupted the OnSolve CodeRED emergency alert platform, stealing sensitive user data and forcing Crisis24 to decommission the legacy environment. The attack affected emergency notification systems used by state and local governments, police departments, and fire agencies across the United States. Data stolen includes names, addresses, email addresses, phone numbers, and passwords. The gang claims to have breached the system on November 1, 2025, and encrypted files on November 10, 2025. Crisis24 is rebuilding the service using backups from March 31, 2025, which may result in missing accounts. The incident highlights the critical impact of cyberattacks on emergency services and the importance of robust cybersecurity measures. The INC Ransom group has published screenshots of stolen data and is selling samples of the stolen data, escalating concerns among affected agencies.

Open in new tab

Hacktivist Intrusions Target Canadian Water and Energy Facilities

Hacktivists have breached critical infrastructure systems in Canada, tampering with industrial controls at a water treatment facility, an oil & gas firm, and an agricultural facility. These incidents highlight the risks of poorly secured Industrial Control Systems (ICS) and the need for stronger security measures. The breaches resulted in degraded service, false alarms, and potentially unsafe conditions. The attacks were opportunistic and aimed at causing media attention and undermining trust in Canadian authorities. No catastrophic consequences were reported, but the incidents underscore the vulnerabilities in ICS components such as PLCs, SCADA systems, HMIs, and industrial IoTs.

Open in new tab

Russian Sandworm Group Targets Ukrainian Organizations with Data-Wiping Malware and LotL Tactics

Russian threat actors, specifically the Sandworm group, have targeted Ukrainian organizations, including a business services firm, a local government entity, and the grain sector, using living-off-the-land (LotL) tactics and dual-use tools to maintain persistent access and exfiltrate sensitive data. The attacks, which began in June 2025, involved minimal malware to reduce detection and included the use of web shells and legitimate tools for reconnaissance and data theft. The threat actors exploited unpatched vulnerabilities to deploy web shells on public-facing servers, gaining initial access. They then used various tactics, including PowerShell commands, scheduled tasks, and legitimate software, to evade detection and perform reconnaissance. The attacks were characterized by the use of legitimate tools and minimal malware, demonstrating the actors' deep knowledge of Windows native tools. In addition to LotL tactics, Sandworm deployed multiple data-wiping malware families in June and September 2025, targeting Ukraine's education, government, and grain sectors. The grain sector, a vital economic sector, was targeted to disrupt Ukraine's war economy. The data-wiping malware used included ZeroLot and Sting, with initial access achieved by UAC-0099, who then transferred access to APT44 for wiper deployment. The activity is confirmed to be of Russian origin, with specific attribution to the Sandworm group. A new Russia-aligned threat activity cluster, InedibleOchotense, impersonated ESET in phishing attacks targeting Ukrainian entities starting in May 2025. This campaign involved sending spear-phishing emails and Signal text messages containing links to trojanized ESET installers, which delivered the Kalambur backdoor. InedibleOchotense is linked to the Sandworm (APT44) hacking group and has been observed conducting destructive campaigns in Ukraine, including the deployment of wiper malware ZEROLOT and Sting. Another Russia-aligned threat actor, RomCom, launched spear-phishing campaigns in mid-July 2025 exploiting a WinRAR vulnerability (CVE-2025-8088) targeting various sectors in Europe and Canada. RomCom also targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. The targeted entity had worked for a city with close ties to Ukraine in the past. The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period. Gamaredon selectively deployed one of Turla’s backdoors, indicating a rare instance of cooperation between Russia-aligned APT groups. Gamaredon’s toolset continued to evolve, incorporating new file stealers or tunneling services.

Open in new tab

TwoNet hacktivists target critical infrastructure with realistic honeypot attack

The pro-Russian hacktivist group TwoNet, previously known for DDoS attacks, targeted a water treatment facility in September 2025. The facility was a realistic honeypot set up by Forescout researchers to observe adversaries’ movements. The attack demonstrated TwoNet’s ability to move from initial access to disruptive actions in approximately 26 hours. The group exploited default credentials, SQL vulnerabilities, and an XSS flaw to gain access and disrupt operations. They created a new user account, displayed a hacking message, and disabled real-time updates and alarms. The intrusion was detected and logged by Forescout researchers monitoring the honeypot. TwoNet publicly claimed responsibility for the attack on its Telegram channel. The attack originated from an IP address linked to a German hosting provider, and the attacker used the Firefox browser on the Linux operating system. The attacker conducted defacement, process disruption, manipulation, and evasion activities. TwoNet has expanded its activities to include targeting HMI and SCADA interfaces, publishing personal details of personnel, and offering cybercrime services. The group has also ceased operations as of September 30, 2025, according to a message in an affiliated group, CyberTroops.

Open in new tab