Tureby-Alkestrup Vandvaerk Water Utility Cyberattack

Tureby-Alkestrup Vandværk is a local, cooperative water utility providing potable water to residential areas near Køge, southwest of Copenhagen, Denmark, relying on pumps and control systems for distribution. In December 2024, a cyberattack targeted the utility and remotely manipulated pump pressure in the operational technology (OT) systems, causing multiple pipe bursts and temporary water outages affecting hundreds of households for up to seven hours. The incident disrupted drinking water supply in a critical infrastructure sector and was attributed by Danish authorities to the pro-Russian hacktivist group Z-Pentest, linked to Russian state interests as part of hybrid warfare.

Incident

Attackers exploited internet-exposed Human-Machine Interface (HMI) devices in the utility's OT network, specifically Virtual Network Computing (VNC) services on default ports with weak or default credentials - likely after a cost-driven switch to less robust cybersecurity. Once inside, they conducted reconnaissance, gained control of pump systems, and repeatedly manipulated water pressure manually. This caused hydraulic surges leading to at least three pipe bursts. The incident unfolded overnight, with hackers actively altering settings multiple times, disabling pumps temporarily, and creating physical damage before detection and response measures restored control.

Impact

The attack caused immediate operational disruption, with burst pipes leading to water supply interruptions: around 50 households without water for up to seven hours and about 450 for one hour. Physical damage included multiple pipe bursts requiring repairs, incurring economic costs. While no injuries occurred and public safety risks remained limited due to quick response, the incident highlighted vulnerabilities in small-scale critical infrastructure and prompted broader concerns about supply reliability during winter.

Attribution

Danish Defence Intelligence Service (DDIS) assessed the attack as carried out by pro-Russian group Z-Pentest, which has connections to the Russian state (including GRU links per some reports). It fits Russia's hybrid warfare strategy against Western supporters of Ukraine, using hacktivist proxies for destructive actions on civilian infrastructure to create fear, demonstrate capability, and impose costs without overt conflict.

Lessons

This incident underscores critical vulnerabilities in operational technology for small utilities, especially when prioritising cost over robust cybersecurity (e.g. exposed HMIs and weak credentials). Quick detection and response (enabled by transparency and preparedness) minimised impact in this case, demonstrating that true resilience in critical infrastructure means not just preventing attacks but rapidly containing damage, restoring services, and maintaining public trust amid hybrid threats. The utility's openness in sharing experiences also helped strengthen national awareness and preparedness efforts.