Newly Established Russian Hacker Alliance Threatens Denmark

The first threat was published on the Russian Legion’s Telegram channel on January 28, 2026, demanding that the Danish government publicly reject the transfer of a 1.5 billion DKK military aid package to Ukraine within 48 hours. The group stated, “DDoS is just the tip of the iceberg; after 48 hours, we will switch to real cyber attacks.” Since then, Russian Legion and its members, Inteid and Cardinal, have posted screenshots of Danish company websites that have apparently been DDoS’ed.

Over the past 48 hours, Russian Legion has issued several statements claiming that Danish companies and public organizations have been targeted by DDoS attacks, with the energy sector being mentioned multiple times. According to their statements, the main cyberattack is scheduled to begin at 6 PM Moscow Time (4 PM Danish time) today.

Assessment

It is Truesec’s assessment that The Russian Legion is likely state-aligned but not state-funded. This aligns with Truesec’s broader threat intelligence, which consistently observes that geopolitical events, such as the Russian invasion of Ukraine-trigger increased cyber intrusion attempts from Russian-linked threat actors. These groups frequently engage in both psychological operations and disruptive attacks. Historically, Russian hacker groups have used cyber sabotage and hacktivism to amplify information operations, aiming to intimidate and influence Western populations.

While some campaigns have resulted in tangible impact, such as DDoS attacks against public services and infrastructure, a significant portion of these threats are designed to create uncertainty and fear, leveraging public messaging and social media for psychological effect. Notably, escalation patterns often begin with public threats and low-impact attacks (like DDoS), followed by promises of more severe actions if demands are not met. However, Truesec’s data indicates that, in many cases, these threats do not escalate to catastrophic outcomes, particularly when targeted organizations respond rapidly with defensive measures.

Recommendations – Response Effectiveness

Based on previous incidents, implementing robust DDoS protection measures is strongly recommended. Russian hacktivist groups often rely on DDoS attacks as a primary tactic, and the intensity of these attacks has increased due to the availability of powerful DDoS-for-hire services. Ensuring your organization has up-to-date DDoS mitigation solutions in place – such as rate limiting, geo-blocking, and leveraging specialized DDoS protection services – can significantly reduce the risk and operational impact of such attacks. [2]

References

[1] https://www.tjekdet.dk/indsigt/sundheddk-ramt-af-hackerangreb-russisk-gruppe-tager-ansvaret
[2]Truesec Threat Intelligence Report 2024