What happened
A newly formed Russian hacker alliance has launched a coordinated campaign of distributed denial-of-service attacks against Danish organisations and infrastructure. Identified by Truesec analysts, the alliance calling itself Russian Legion includes groups such as Cardinal, The White Pulse, Russian Partizan, and Inteid, publicly announced its formation on January 27, 2026 and initiated an operation they labelled “OpDenmark.” The campaign began with a public ultimatum on January 28 demanding that Denmark withdraw a 1.5 billion DKK military aid package to Ukraine within 48 hours, after which the group warned that DDoS attacks were only preliminary and more severe cyber operations could follow. Following the deadline passing, multiple Danish companies and public sector organizations—including those in the energy sector—experienced service disruptions from repeated attack traffic aimed at overwhelming their online systems. Analysts characterized Russian Legion as a state-aligned, though not state-funded, threat actor leveraging coordinated hacktivist capabilities.
Who is affected
Danish organisations in both public and private sectors are affected by service disruptions from the high-volume DDoS attacks initiated by the Russian Legion alliance, with impacts reported in sectors such as energy infrastructure.
Why CISOs should care
The campaign illustrates how coordinated hacktivist alliances can leverage DDoS campaigns and public messaging to pressure national policy objectives and disrupt critical services, demanding attention to resilient defensive posture and response planning.
3 practical actions
- Validate DDoS mitigation capacity. Review defensive controls to ensure they can withstand coordinated traffic floods.
- Monitor service availability. Detect and respond to abnormal outages or disruptions indicative of attack patterns.
- Review public threat indicators. Correlate external warnings or ultimatum messages with network telemetry to inform threat context.