
Latvia’s state-owned forestry company, LVM, said on Thursday it is still working to restore its IT systems weeks after a ransomware attack disrupted several internal and customer services.
The attack, first disclosed in late June, knocked the company’s mapping platform and hunting application, as well as systems used to exchange information with contractors and customers offline. Latvian authorities said the attackers had likely been inside the company’s network for more than a week before they were detected.
LVM’s chief technology officer, Maris Kuzmins, told local media earlier this week that the situation has stabilized, but returning operations to normal remains “quite challenging.” About two-thirds of customers with service contracts still do not have access to the affected systems, he said.
According to Kuzmins, the attackers exploited a vulnerability in a system that had not been updated for two years, but he did not identify the affected software. The company previously said it had not received a ransom demand and would refuse to pay even if one were made.
Latvijas Valsts Mezi is one of the country’s most profitable state-owned companies. It manages most of Latvia’s state forests; harvests and sells timber; maintains public recreation sites; and provides geographic information and mapping services.
Latvia’s national computer emergency response team, CERT.LV, attributed the intrusion to a foreign, financially motivated ransomware group that has previously targeted companies and public institutions in NATO and European Union countries. Officials have not identified the group.
The attackers leaked roughly 44 gigabytes of stolen data online, although investigators believe they accessed significantly more information than they ultimately published. According to CERT.LV, the exposed files include internal documents, email correspondence, software code repositories, digital certificates, cryptographic keys and user credentials.
Election infrastructure is separate
The attack also prompted scrutiny because LVM helped develop new functionality for Latvia’s electronic voter registration system, which allows voters to cast ballots at any polling station.
Latvian authorities said the election infrastructure was not compromised because the software was developed in a separate environment and its code was never stored in LVM’s corporate repositories. CERT.LV said it had reviewed every software delivery made for that project and found no evidence of malicious code or unauthorized access, concluding the system is safe to use in the upcoming parliamentary elections.
CERT.LV said the same threat actor also compromised a server belonging to Latvian pharmaceutical company Olpha, formerly known as Olainfarm. The Olpha breach has since been contained, with no evidence so far of broader damage beyond the affected server.
Authorities said the two breaches were technically unrelated despite being attributed to the same threat actor.
According to CERT.LV, the group behind the incident “continues its activities in Latvian cyberspace, purposefully searching for new potential vulnerabilities in the infrastructures of public- and private-sector organizations.”
Recorded Future
Intelligence Cloud.
