Russian Hacktivist Group “Russian Legion” Initiate OpDenmark

Truesec has now observed that a new round of attacks is likely to begin, as Russian Legion has announced Phase 2 named “Operation Ragnarök”. There have also been some indications that the alliance will start a campaign against Swedish targets too. [2]

On February 2, it was officially announced that ShadowClawZ 404 joined the Russian Legion, alongside Russian Partisan, White Pulse, Inteid and Cardinal. The Russian Legion announced that they are actively recruiting additional established actors to join their alliance. Russian Legion also stated that members can receive operational funding and performance-based bonuses. [2]

On February 3, Russian Legion released a video titled “Appeal to the Danish Government (Phase 2, transition to Operation Viking).” In this video, the group directly threatened the Danish government, demanding that Denmark “recall the aid now or we will turn your kingdom into a digital wasteland.” They imposed a 72-hour deadline, warning that they would “deliver a verdict” if their demands are not met. The deadline falls on Friday, February 6. [2]

Assessment

That the threat actor calling themselves Russian Legion is offering cash prizes for hacktivists that join their cause suggests that they are not just aligned with Russia, but also state-funded. NoName057(16), another pro-Russian hacktivist group that also offers cash prizes to hacktivists that join their cause, has been tied to a Russian government institute that is involved in information warfare for the Russian government. Russian Legion may attempt to use similar methods.

It is also important to understand that groups like Russian Legion are using language to create fear and doubt far beyond their actual capabilities. Many of the hacktivist groups in this alliance are assessed to be small teams, or even single individuals trying to appear to be a greater threat than they actually are. While their messaging suggests that they are capable of more sophisticated hacking, the reality is often that they are limited to DDoS and web defacement attacks.

Truesec assesses that there is an elevated threat for DDoS attacks against Nordic web sites in the coming week. There is also the possibility that some threat actor may attempt to launch other disruptive attacks against unprotected systems, like the hacking of CCTV in Denmark.[3]

Russian Legion and it’s affiliate groups are not assessed to have the capability to conduct more serious destructive cyber attacks, like the attack on Poland’s energy grid in December 2025, however.

Recommendations

The fact that Russian Legion may be state funded, means that it is possible that it will have resources to fund larger DDoS attacks than groups that rely on crowd-funding from online fans to finance their attacks. It is still possible that this is more hype, than serious funding, however.

Organizations that may suffer business impact from DDoS attacks on their web sites should prepare for possible disruption in the coming week. Truesec has published recommendations for organizations that need to strengthen their DDoS protection.[4] If you require additional assistance in assessing the threat to your organization or taking the correct preventive measures, then do not hesitate to reach out to Truesec.

References

[1] https://www.truesec.com/hub/blog/newly-established-russian-hacker-alliance-threatens-denmark
[2] t.me/ruLegionn
[3] https://www.truesec.com/hub/blog/russian-hacktivists-hack-cctv-cameras-in-denmark
[4] https://www.truesec.com/security/distributed-denial-of-service-ddos