Jun 03, 2026
Nov 17, 2025
6 Mins Read
Dec 09, 2025
DDoSia Targets Denmark: Weekly DDoS Threat Intelligence
Between November 4 and November 13, 2025, Denmark was included in a focused campaign by the pro-Russian hacktivist groups. The group published target lists, and these lists contained 136 Danish targets across government services and critical infrastructure. The selection of targets shows careful planning and a clear intent to cause disruption.
This article explains what happened, which systems were targeted, and why the attackers chose them.
What DDoSia is and How it Operates?
The DDoSia project is a tool, leveraging the disruptive power of Distributed Denial-of-Service (DDoS) attacks to target critical infrastructure and governmental bodies worldwide. DDoSia project was launched on Telegram in early 2022, managed by the pro-Russian hacktivist group NoName057(16), and has become a symbol of the growing intersection between cyber warfare and geopolitical conflict. For more detailed information on the DDoSia project, you can check our blog post.
The threat actors behind the project selects targets in NATO countries, countries that support Ukraine, and organizations connected to government, transportation, or energy and Denmark fits all of these categories.
What the Dataset Reveals?
Top Targeted Categories – Source: SOCRadar Threat Intel Team
1. What Was the Primary Focus of the Attacks?
Around 70% of the top targets in the dataset are government websites or institutions. These targets represent all levels of the Danish government:
- Federal institutions, including the Ministry of Finance and the Danish Government Portal.
- Major municipalities such as Aalborg, Randers, Gribskov, and Billund.
- KL, the national association that represents all 98 Danish municipalities.
This wide distribution is an attempt to show that government services across the entire structure can be disrupted.
2. Critical Infrastructure Was a Secondary but Important Target
The second group of targets is critical infrastructure, mainly transportation. Two organizations were hit repeatedly:
- DSB, the national railway operator.
- Banedanmark, the organization responsible for the railway infrastructure.
These two entities were targeted 27 times in total. Denmark’s rail network is a central component of daily life, and disruptions could affect commuters, businesses, and logistics. Because the system is highly interconnected, even short disruptions could have visible consequences nationwide.
3. What Other High-value Targets Were Included?
DDoSia also attacked organizations connected to Denmark’s economy and industry. Two examples stand out:
- Danish Shipping Association, which represents one of the largest maritime sectors in the world.
- Billund Municipality, which hosts the international airport and the global headquarters of LEGO.
Again, even short interruptions can attract attention and affect both public perception and economic activity.
4. What Were the Attack Methods?
Attack Methods Distribution – Source: SOCRadar Threat Intel Team
The dataset shows that DDoSia used common and straightforward DDoS techniques. These include GET floods, SYN floods, POST floods, ACK floods, ICMP traffic, and UDP floods. These methods are not technically advanced, but they are easy to run on a large scale.
Target Ports Distribution – Source: SOCRadar Threat Intel Team
Most of the attacks targeted port 443 (HTTPS), which is used by websites and online services. This suggests that the attackers focused on visible, public-facing systems rather than attempting to disrupt internal networks.
Why Do These Targets Matter?
The combination of targets illustrates several goals.
First, by attacking government services across all levels, the group aims to create the impression that public institutions are vulnerable. When municipal and national websites go offline at the same time, the disruption feels widespread even if the damage is temporary.
Second, by targeting railways and transportation, the attackers attempt to disrupt daily life. DSB and Banedanmark are both essential for nationwide movement. Even minor delays caused by technical issues can result in frustration towards the authorities and economic loss.
Third, the focus on economic and symbolic assets, such as Danish Shipping and the Billund area. It seems that these attacks are designed to cause economic disruption as well.
Finally, Denmark’s political alignment with Ukraine is likely a key driver. Hacktivist groups aligned with Russia frequently strike NATO countries to express opposition or to create political pressure.
What are the Most Targeted Hosts?
Top 10 Targeted Hosts – Source: SOCRadar Threat Intel Team
These targets cover public administration, transportation, economic infrastructure, and national governance:
- gribskov.dk (Gribskov Municipality)
- dsb.dk (National rail operator)
- bane.dk (Rail infrastructure)
- randers.dk (Randers Municipality)
- aalborg.dk (Aalborg Municipality)
- fm.dk (Ministry of Finance)
- danishshipping.dk (Maritime industry)
- billund.dk (Municipality with major airport and LEGO headquarters)
- kl.dk (Association of all municipalities)
- regeringen.dk (Government portal)
Conclusion
The DDoSia campaign against Denmark is moderate in size but highly organized. The threat actors distributed their efforts across a broad set of public-facing services which increased the perceived scale of the attack.
The choice of targets such as government services, rail systems, and economic hubs shows that the attackers understand which Danish assets are most visible and most likely to attract public attention. Even though these attacks rely on simple methods, they can still cause inconvenience, raise public concern, and deliver a political message.
If you’d like a more detailed report, feel free to contact us at [email protected]
Table Of Content
Related Articles
