Full text
När Sverige, Danmark, Norge och Finland går emot Rysslands intressen eller håller demokratiska val så försöker pro-ryska ”hacktivister” störa och förstora i länderna – NORDIS har följt hackarnas aktiviteter.
Illustration: Nathalie Damgaard Frisch/TjekDet
I ett samarbete med TjekDet, Faktabaari och Faktisk har vi undersökt hur pro-ryska hackare agerar i de nordiska länderna. Genomgången är på engelska.
At a press conference last year the former Danish Minister of Defence, Troels Lund Poulsen, announced that Russia has been found responsible for “destructive and disruptive cyberattacks against Denmark”.
From the Danish public service channel DR.
The destructive attack took place in 2024 against a Danish waterworks facility, where hackers gained access to the control system and increased the water pressure. This caused several water pipes to burst and left residents without water.The disruptive attacks were DDoS-attacks targeting Danish websites ahead of the 2025 municipal and regional elections, temporarily preventing access to the sites.The attacks were carried out by the hacker groups Z-Pentest Alliance and NoName057(16), which, according to the Danish intelligence service, have links to the Russian state.
We are neither in a state of war nor in a state of peace, the Danish Minister of Defence concluded at the press conference in November 2025. The attacks are part of Russia’s hybrid war against the West.The two hacker groups are far from the only ones carrying out such attacks. The Nordic Observatory for Digital Media and Information Disorder, NORDIS, a collaboration of Nordic fact-checkers and researchers, has followed more than 20 pro-Russian groups on Telegram in recent months, where the hackers mockingly publicise their attacks. In the latest years they have targeted Denmark, Norway, Finland and Sweden.
The situation in the Nordics
In 2026 alone, Denmark has been attacked 247 times, according to the hacker groups NORDIS has been following. That is by far the highest number among the Nordic countries, although not all of the attacks have been successful.The vast majority are DDoS-attacks against websites (distributed denial-of-service attack), which can make the sites inaccessible for a period of time. However, there are also a number of examples where hackers have successfully gained access to various surveillance cameras and subsequently shared images and videos from them on Telegram, as well as attempts to manipulate technology.
From reporting of the Danish fact-checker TjekDet.
According to the The Danish Resilience Agency’s threat assessment, the hackers often target websites belonging to authorities and companies involved in critical infrastructure. NORDIS’ investigation shows the same pattern.In Norway April 2025 unauthorized individuals gained digital access to a dam facility for a fish hatchery by Risevatnet in Bremanger.According to the National Criminal Investigation Service, Kripos, a special unit in the Norwegian police focused organized and serious crimes, the hackers had access to the control panel from 12:57 PM to 4:49 PM. During these four hours, the perpetrators increased the water inflow in the facility, causing the valves to release nearly 500 liters of water per second before the attack was discovered and halted.The leak reportedly had no consequences, as the dam is estimated to handle around 20,000 liters of water per second.
From the Norwegian magazine Energiteknikk.
In October, the police security agency PST in Norway concluded the investigation with Kripos and stated that pro-Russian hackers were behind the attack. The case was then closed and no one was charged.In June 2025, a three minute video showing the cyber break-in was posted to a Telegram channel belonging to the pro-Russian hacker group Z-Pentest Alliance, where the alliance claimed responsibility. PST has concluded that this is the group behind the attack.
From Telegram.
The channel has now been removed from Telegram, and a new one has emerged with the same name. The Norwegian NORDIS partner Faktisk has screenshots of the video and the messages published in the aftermath of the attack. The video shows a control panel where numbers are being altered by the hackers.
Attacks to disrupt elections
Pro-Russian hackers have also published posts claiming to have carried out a number of DDoS-attacks against several Norwegian websites. One such attack occurred when Høyre’s, the Conservative Party, website was knocked offline just six days before the 2025 Norwegian parliamentary election.Researchers mapping foreign influence in connection with the parliamentary election believe the hacker group’s intent ”was to make themselves interesting and relevant within hacktivist communities and to the Russian authorities.”Andreas Skjøld-Lorange, specialist director at Norway’s agency for national protective security NSM, believes the attacks are not necessarily an attempt to influence the election results themselves, but rather an easy opportunity to create division and distrust.”Even though something might feel specifically targeted toward an election, it may just be an opportunity to amplify efforts that they actually have a very long-term horizon on,” Skjøld-Lorange tells Faktisk.He does not think it is a coincidence that the hackers have chosen to shift their focus away from Norway and over to other countries, such as Denmark, which held elections in March of this year.The Norwegian Defence Research Establishment (FFI) has concluded that the hackers’ activities did not have any significant impact on the 2025 parliamentary and Sámi parliament elections in Norway.
From the Norwegian newspaper VG.
In Sweden authorities have seen a clear development since 2023 – cyber attacks haven’t necessarily increased in number but in their level of sophistication. The attackers have changed focus from IT-attacks, with limited effects outside the internet, to OT-attacks (”Operational Technology”) striking critical infrastructure.”Earlier non-state actors have been very focused on DDoS-attacks, ransomware and such. Now we see that they have expanded to some more advanced operations”, says Ola Billger, head of communication for The National Defence Radio Establishment (FRA), the Swedish national authority for Signals Intelligence and home to the National Cyber Security Centre NCSC since 2024.Some attacks seem to have secondary objectives as well.
On the eve of the election day 2018 in Sweden, when the vote count had just started, the site of the Swedish Election Authority crashed. Afterwards there were unfounded rumors that the election results had been manipulated during the period when the site was down.
From the Swedish newspaper Dagens Nyheter.
After closer examination the Election Authority concluded that a DDoS-attack had been directed at the site.In the next Swedish election 2022 there were three such attacks against the site of the Election Authority, raising suspicions that the goal was to fan new rumors of election manipulation.
Ahead of the upcoming election in September 2026 the Swedish Security Service (SÄPO) warns of foreign interference in the electoral process – and that Russia in this regard is of the ”highest priority” for them.
DDoS-attacks and data breaches in Finland
In Finland the group NoName057(16) has carried out repeated series of DDoS-attacks in recent years, targeting, for example, the Tax Administration, ministries, banks, the City of Helsinki, and the Bank of Finland’s websites.
From Telegram.
When Finland joined NATO in April 2023, the group succeeded in taking down the Parliament’s website for a day. At the same time, it also disrupted the websites of the Prime Minister’s Office and the Prime Minister Sanna Marin, among others.In April 2025, during the municipal and regional elections, NoName launched denial-of-service attacks against the websites of election-related actors and took down the Center Party’s website. In early 2026, the group announced on its Telegram channel that it had carried out several dozen attacks against Finland, but its activity has since subsided.
Stealing sensitive information
In April 2026, the Finnish Security Police, Supo, and the National Cyber Security Center reported that they had thwarted a Russian military intelligence operation in Finland. A “Russian threat actor group” dubbed APT 28, had hijacked several dozen poorly secured home routers and other internet-connected devices as part of a cyberespionage operation.The hackers had set up a network in which all devices communicated with one another. The Russians’ intention was to use the hijacked home routers to hide their own activities.
Press release of the Finnish Security and Intelligence Service, Supo.
At the same time, they had the opportunity to steal sensitive information from intercepted communications if those messages happened to come from, for example, a government official or a company representative who was working on a home computer.The operation was halted when experts from the Cyber Security Center contacted the Finnish owners of the outdated routers and advised them on how to update or replace them.“This was a telling example of how both cybercrime and state-sponsored espionage operate today by using vulnerabilities in home routers,” says Samuli Könönen, an information security expert at the Cyber Security Center.
Unsubstantiated claims
Overall, DDoS-attacks by pro-Russian activists have not caused significant harm to Finns. Samuli Könönen estimates that for Russian hacker groups, gaining visibility for their pro-Russian messages and their anti-Ukraine and anti-Western activities is more important than technical achievements.“This is evident, for example, in the fact that when they promote their activities on Telegram, it is just the tip of the iceberg of what they are trying to do,” says Könönen.
From Telegram.
Internationally, cybersecurity authorities are closely monitoring the command-and-control traffic of Noname’s denial-of-service attacks. Every day, the group sends a list of IP addresses to be attacked to devices connected to the network. There are far more targets than successful attacks.“On Telegram, they only publish a list of those targets to which they can at least falsely attach images of successful attacks. Typically, the group retrieves a screenshot of a ‘404’ error from the page, which indicates that the requested page was not found,” Könönen notes.Sometimes, Könönen says, the reason for the error message may just as well be that the site has restricted access from abroad and continues to function well from within Finland.According to Könönen, similar exaggerations can be seen in reports of data breaches and, for example, in the hijacking of surveillance cameras, which Russian hackers have claimed credit for.According to Faktabaari’s own investigation, some of the surveillance camera footage published by the hacker group Morningstar had already been intentionally made publicly available online. Könönen confirms this finding.
Funded by Kremlin
Hacktivism has grown significantly as a phenomenon since Russia’s full-scale invasion began in 2022, says Samuli Könönen. In the early stages of the war, many people in countries supporting Ukraine felt a desire to strike back at Russia.
”The IT Army of Ukraine” was established in Ukraine, coordinating its activities via Telegram and Twitter. It invited volunteer hackers from around the world who support Ukraine to join. They began carrying out denial-of-service attacks and data breaches against Russia. At the end of February 2022, the group reported that it had taken down, for example, the websites of the Moscow Stock Exchange and Sberbank, Russia’s largest bank.
“Pro-Russian hacker groups like NoName emerged as a reaction to that,” says Könönen.
There are indications that the Russian government was involved in the founding of both NoName and Z-Pentest and has provided financial support to the groups since then. And there are indications that the Kremlin is pleased with their efforts. Russia has supported both NoName and Z-Pentest with, among other things, financial resources.The Center for Research and Monitoring of Youth Online Behavior, established in 2018 on the orders of Vladimir Putin, serves as a front organization for the hackers.According to the American cyber defense agency CISA, Russia is likely responsible for supporting the creation of the groups ”The People’s Cyber Army of Russia” (CARR) and NoName057(16). The Z-Pentest Alliance emerged in 2024, composed of members from both of these groups.According to CISA, the center’s employees coded DDoSia, the software used by NoName for cyberattacks, funded the hacktivists’ network infrastructure, managed the hacktivists’ Telegram channels, and compiled lists of suitable targets.CARR, or “Cyber Army of Russia Reborn,” is, according to CISA, a creation of Russia’s military intelligence agency, the GRU. Between 2022 and 2024, the group utilized resources provided by GRU’s unit 74455. The Z-Pentest Alliance was founded in 2024 and consists of members from both of these groups.
From Telegram 22 April.
It is also the assessment of Rasmus Larsen, Director of Operational Intelligence at the Danish cybersecurity company CSIS Security Group, that the groups are broadly recognised by Russia.
“By all appearances, these groups originate from people based in Russia or in some of the states closely linked to Russia. So it is difficult to imagine that this is taking place without the tacit acceptance of the Russian authorities at an absolute minimum,” he assesses.
Attempts to stop the groups
The numbers of hacktivists participating in ideologically motivated DDoS-attacks are high and they operate from numerous countries, which makes the networks hard for the authorities to counter.Last year, an Ukrainian national, Victoria Eduardovna Dubranova, 33, was extradited to the United States and faced charges for alleged involvement with both CARR’s and NoName’s illegal activities.
In July 2025, Europol announced it had disrupted NoName’s infrastructure together with Eurojust by dismantling “a major part of the group’s central server infrastructure and more than 100 systems across the world”. Europol also made two arrests and added five Russian individuals to its “Most Wanted” list as part of the “Operation Eastwood”.“The operation brought NoName’s activities to a complete halt for a few weeks in the summer of 2025”, says Samuli Könönen.“Since then, operations have continued more or less as before. At the end of the summer of 2025, they were even slightly more intense for a while, as the targets included several entities that had participated in Eastwood.”
Beyond that, information about the many pro-Russian hacktivist groups is limited.
They are, however, keen to read about their own attacks in Western media. This may be linked to achieving their objective of “disruption”. Very few people in the Nordic countries follow their Telegram channels, just as most people probably do not notice when a website is occasionally unavailable for a short period.
“They pay very close attention to when and who writes about them, and what is being written. They are also very noisy on their online channels. Look at us, listen to us,” says Rasmus Larsen.
An example of their desire for exposure became particularly clear in January, when the Danish NORDIS partner TjekDet had already published several articles about the many attacks.
Attack against NORDIS partner
On 31 January, TjekDet’s chair of the board tries to access the website of the Danish outlet TjekDet.dk. Instead of being met with the latest fact-checks, she receives a message saying that the website is unavailable.
She contacts TjekDet’s editor-in-chief, who has long feared an attack from the groups exactly because the outlet itself has written about them. He is also unable to access the site.
Meanwhile, an email has arrived in the inbox. The sender is the hacker group Inteid.
“Hello, I am the owner of the hacker group Inteid. Today I carried out a DDoS-attack against your website www.tjekdet.dk,” it says.
The sender also explains what they demand in order not to attack TjekDet again. It is not about money, but about visibility.
“If you do not publish an article about my attack on your website, I will attack your website again in the near future. You must also forward this information to other media websites so that they too publish an article about my hacker attack on your website. You still have time,” it says.
Inteid posting on Telegram.
In addition, they demand that TjekDet report the group to the police, because they would like to be declared wanted by the authorities.
Meanwhile, the editor-in-chief is in contact with Peytz, the company responsible for TjekDet’s website, which can report that the website is experiencing an extraordinarily high level of traffic.
For several hours, the website is unstable, alternating between being available and unavailable.
“There is a massive network behind the DDoS-attack,” Peytz says in an update to TjekDet’s editor-in-chief. “It is difficult to block them, but everyone is doing everything they can.”
Later that evening, Peytz succeeds in mitigating the attack. TjekDet did not comply with Inteid’s demands.
Boastful and immature
This craving for attention and, at times, somewhat immature communication involving bragging and random claims that they have access to confidential state documents which they will publish – but never do – is one of the reasons why Rasmus Larsen at the Danish cybersecurity company CSIS Security Group does not consider the actual threat from them to be particularly high.“Typically, the people who are truly capable are the ones you never hear from. They are not busy showing off. They are busy doing things that actually work and can cause harm. Those are the people we are concerned about.”He explains that they operate with three levels of threats, and hacktivists like some of those discussed in this article are on the third and lowest level.
From a post on Telegram 9 February 2026.
“These activist groups appear much looser and nowhere near the same level as what we see from the other groups,” says Rasmus Larsen.Nor does he believe that the hacktivists possess capabilities that they are simply choosing not to display at the moment because we are not, after all, in an actual war with Russia.“But that does not mean they could not be provided with those capabilities if it were ever to come to that,” he says.
Revenge for support of Ukraine
According to the 2025 annual report by the European Union Agency for Cybersecurity (ENISA), the Nordic countries were not among the top five most targeted countries for cyberattacks in 2025. Noname directed the most denial-of-service attacks at the large EU member states – Germany, France, Italy, and Poland – as well as Lithuania among the Baltic countries.There are, as shown by this review, however still groups targeting the Nordics, and recently especially Denmark.
Rasmus Dahlberg, Associate Professor at Centre for Societal Security and Resilience at Roskilde University, has a theory as to why Denmark is the hardest-hit country in the Nordic region. He is deputy director of the research centre Centre for Societal Security and Resilience (SECURE) at Roskilde University.
“One obvious hypothesis is that it is because Denmark’s government has been very vocal in its support for Ukraine. We have not hidden the fact that we are a major donor country with strong public support for Ukraine in the war against Russia,” he says.
From the British newspaper The Independent.
The pro-Russian hacker groups have also pointed to support for Ukraine on several occasions as a reason for the attacks. On 28 January, Russian Legion, an alliance formed by several different groups, wrote on its Telegram channel:
“The Danish government plans to provide a military aid package worth 1.5 billion dollars. We consider this to be direct participation in the conflict and financing of the war against our interests. Denmark has 48 hours to publicly and officially reject the transfer of these funds. The refusal must be clear, unconditional and voiced at the level of the country’s leadership”.
From Telegram 16 February.
The Swedish Civil Defence and Resilience Agency (MCF) has concluded that the number of attacks is closely connected to Sweden’s position in the geopolitical landscape. When something unusual happens things can escalate quickly – as for example when Sweden joined the military alliance NATO in March 2024. According to the IT security company Cloudflare the number of denial-of-service attacks went up by 466 percent.
Other times when Sweden has caught the ire of the hackers has been in connection to the support for Ukraine. In February 2026 the Swedish NORDIS partner Källkritikbyrån exposed pro-Russian groups hacking into surveillance cameras in Sweden.
Images: Telegram
Images from the cameras were posted in an open Telegram channel the same day as Sweden had announced a new support package for Ukraine with millions for health and social care. The purpose? To scare and exact a ”tax” for activities that displease the hackers or their employers, according to experts Källkritikbyrån spoke to.When NORDIS investigates Telegram channels belonging to these and similar hacker groups it’s clear that a string of pro-Russian groups has claimed to have performed attacks in connection to similar events. On 24 November 2025 Sweden hosted the Crimea Platform, a yearly summit to gather support for Ukraine and opposition against the Russian occupation of the Crimean Peninsula.In the days leading up to the summit one of the groups NORDIS has been monitoring published reports of attacks against 28 Swedish targets, among them political parties such as Miljöpartiet, Centerpartiet and several city- and municipality sites.
Wants visibility
Ola Billger at The National Defence Radio Establishment (FRA) underscores that although the authorities take these reports seriously, you should also be wary. The group’s openness may originate from their desire for attention, which can lead to more job offerings and better pay.”So, sometimes these groups actually take responsibility for acts that they haven’t committed. That’s a reason why we are careful to comment on who is behind an attack sometimes. We don’t want to draw unnecessary attention to groups that live for exactly that kind of thing.”
This is echoed in Norway as well. During the Norwegian political festival Arendalsuka in the summer of 2025, PST chief Beate Gangås stated that the purpose of such operations is likely to contribute to broader influence, in addition to creating fear and unrest among a country’s population.
After the news about the cyber attack against the dam in Norway became publicly known in August, a YouTube-video and news articles about the attack were also shared in the Telegram channels. In these posts, the hacker alliance itself wrote that their goal ”is not to cause damage, but to demonstrate our readiness to defend the interests of Russia and to act decisively if necessary.”
Warfare in the cognitive domain
Although the consequences of DDoS-attacks specifically are usually minimal – a website that cannot be accessed, typically for a short period – Rasmus Dahlberg at Roskilde University believes they can be quite effective in the type of warfare taking place in the so-called cognitive domain. This is also the domain that is targeted when a foreign state attempts to spread disinformation.Rasmus Dahlberg describes Russia’s tactic as “death by 1,000 cuts”.“That is the hallmark of hybrid warfare. We are not being subjected to a large digital version of Pearl Harbor. It is a whole series of small attacks that, over time, can potentially undermine trust, spread concern and thereby erode the cohesion of our society,” he says, pointing out that there is reason to be concerned that DDoS-attacks, for example, may expose authorities’ inability to prevent this type of attack.
From Telegram 23 March.
According to Rasmus Dahlberg, it is difficult to tell how well Denmark is technically protected against cyberattacks. Nor is that necessarily the most important issue, he believes, because in reality this is not a battle being fought in cyberspace, but in all of our minds. Or, in the language of researchers: the cognitive domain.That is why the authorities must be good at preventing the secondary effects of a DDoS-attack, for example. This requires, among other things, that authorities are transparent and provide broad information, so that they do not leave the public worried.“I am not entirely convinced that we are strong enough at that yet. And that was a polite way of putting it,” he says.
The investigation is a result of the collaboration project Nordis (Nordic Observatory for Digital Media and Information Disorder) that you can read more about here. Representatives from Finland, Denmark, Norway and Sweden worked together on this investigation.
Daniel Greneaa Hansen (TjekDet)Jonathan Lundberg (Källkritikbyrån)
Joonas Pörsti (Faktabaari)
Kajsa Garmann Lønrusten (Faktisk.no)Petri Jääskeläinen (Faktabaari)
Åsa Larsson (Källkritikbyrån)
Tidigare gemensamma granskningar inom NORDIS:► Så infiltrerar ryska propagandasidor AI-chattbottar i Norden► Här är männen bakom “2-minuters hälsokontroller”► “Staten kidnappar barn” – så skiljer sig ryktena åt i de nordiska länderna
Den här granskningen är ett samarbete genom NORDIS, Nordic observatory for digital media and information disorder, ett samarbetsprojekt mellan faktagranskare och forskare i de nordiska länderna. Här hittar du artikeln på engelska på Nordis sajt!