Pro-Russian Hacker Group "Russian Legion" Threatens Denmark Over Military Aid to Ukraine
A pro-Russian hacker collective known as Russian Legion has issued direct threats against Denmark, warning of large-scale cyberattacks in retaliation for the country’s planned 1.5 billion DKK military aid package to Ukraine. The group, which appears state-aligned but not directly state-funded, posted its first ultimatum on Telegram on January 28, 2026, demanding Denmark publicly reject the aid within 48 hours. Failure to comply, they warned, would trigger an escalation from DDoS attacks to more severe cyber intrusions.
Since the threat, Russian Legion and affiliated actors including figures identified as Inteid and Cardinal have published screenshots of Danish websites taken offline via DDoS attacks, using them as proof of capability while amplifying psychological pressure. The group has targeted both private companies and public-sector entities, with a particular focus on the energy sector. A coordinated attack was announced for 6 PM Moscow Time (4 PM Danish time) today, timed to maximize visibility and disruption.
The campaign follows a familiar pattern of Russian-linked hacktivist groups blending cyber sabotage with influence operations to undermine trust in institutions and intimidate populations. While initial attacks have been relatively low-impact, the group’s rhetoric suggests a potential shift toward more damaging operations if demands are ignored. Historically, such threats have often prioritized psychological impact over sustained disruption, though some attacks have disrupted critical infrastructure.
Danish organizations have been urged to bolster DDoS defenses, as these attacks remain the primary weapon for such groups, often leveraging easily accessible DDoS-for-hire services. Effective countermeasures include rate limiting, geo-blocking, Web Application Firewalls (WAFs), and cloud-based mitigation tools. Despite the escalating threats, past incidents suggest that robust defensive measures can limit both operational and psychological fallout.
Source: https://gbhackers.com/russian-hacker/
CardinalOps cybersecurity rating report: https://www.rankiteo.com/company/cardinalops
Legion cybersecurity rating report: https://www.rankiteo.com/company/legionstudio
"id": "CARLEG1770170560",
"linkid": "cardinalops, legionstudio",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Public Sector, Energy, General Business',
'location': 'Denmark',
'type': 'Government, Private Companies, Energy '
'Sector'}],
'attack_vector': 'DDoS-for-hire services, Psychological warfare (Telegram '
'threats)',
'date_detected': '2026-01-28',
'date_publicly_disclosed': '2026-01-28',
'description': 'A pro-Russian hacker collective known as Russian Legion has '
'issued direct threats against Denmark, warning of large-scale '
'cyberattacks in retaliation for the country’s planned 1.5 '
'billion DKK military aid package to Ukraine. The group posted '
'an ultimatum on Telegram demanding Denmark publicly reject '
'the aid within 48 hours or face escalating cyber intrusions, '
'including DDoS attacks and potential targeting of critical '
'infrastructure.',
'impact': {'brand_reputation_impact': 'Undermined trust in Danish '
'institutions',
'operational_impact': 'Temporary website outages, Potential '
'disruption to critical infrastructure',
'systems_affected': 'Danish websites (private and public-sector), '
'Energy sector'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Robust defensive measures (e.g., DDoS mitigation tools) '
'can limit operational and psychological fallout from '
'hacktivist campaigns. Psychological warfare is a key '
'tactic in geopolitically motivated cyber threats.',
'motivation': "Retaliation for Denmark's military aid to Ukraine, "
'Geopolitical intimidation',
'post_incident_analysis': {'corrective_actions': 'Implement DDoS mitigation '
'strategies, enhance threat '
'intelligence monitoring, '
'prepare for potential '
'escalation to more severe '
'attacks.',
'root_causes': "Geopolitical tensions (Denmark's "
'military aid to Ukraine), '
'Hacktivist retaliation'},
'recommendations': 'Bolster DDoS defenses (rate limiting, geo-blocking, WAFs, '
'cloud-based mitigation). Monitor threat actor '
'communications for escalation indicators. Prepare for '
'potential shifts to more damaging attacks if demands are '
'ignored.',
'references': [{'date_accessed': '2026-01-28',
'source': 'Telegram (Russian Legion ultimatum)'}],
'response': {'containment_measures': 'Rate limiting, Geo-blocking, Web '
'Application Firewalls (WAFs), '
'Cloud-based mitigation tools'},
'stakeholder_advisories': 'Danish organizations urged to strengthen DDoS '
'defenses and monitor for escalation.',
'threat_actor': 'Russian Legion (pro-Russian hacker group), Inteid, Cardinal',
'title': "Pro-Russian Hacker Group 'Russian Legion' Threatens Denmark Over "
'Military Aid to Ukraine',
'type': 'Cyber Threat, DDoS Attack, Influence Operation'}