Ransomware Cripples Latvian State Forestry Company, Data Leaked
Latvia's state-owned forestry company, **LVM**, is grappling with the aftermath of a ransomware attack that has disrupted critical IT systems for weeks. The intrusion, attributed to a financially motivated foreign group, led to the exfiltration and leakage of sensitive data, raising concerns about operational recovery and broader cybersecurity threats within the region.
# Ransomware Cripples Latvian State Forestry Company, Data Leaked
**LVM**, Latvia's state-owned forestry company, is still striving to restore its IT systems weeks after a ransomware attack severely disrupted several internal and customer services.
The attack, which commenced in late June, brought down the company's mapping platform, hunting application, and systems vital for information exchange with contractors and customers. Latvian authorities indicated that the attackers likely maintained a presence within **LVM**'s network for over a week before detection.
**Maris Kuzmins**, **LVM**'s chief technology officer, informed local media that while the situation has stabilized, a full return to normal operations remains "quite challenging." Approximately two-thirds of customers with service contracts are still unable to access the affected systems.
According to Kuzmins, the attackers exploited a vulnerability in a system that had not been updated for two years. He did not specify the compromised software. **LVM** had previously stated that it had not received a ransom demand and would refuse to pay if one were made.
**Latvijas Valsts Mezi** is one of Latvia's most profitable state-owned enterprises, responsible for managing most of the country's state forests, timber harvesting and sales, public recreation site maintenance, and geographic information and mapping services.
Latvia's national computer emergency response team, **CERT.LV**, attributed the intrusion to a foreign, financially motivated ransomware group. This group has a history of targeting companies and public institutions in **NATO** and **European Union** countries, though officials have not publicly identified the specific group.
The attackers leaked approximately 44 gigabytes of stolen data online. Investigators believe the group accessed significantly more information than what was ultimately published. **CERT.LV** reported that the exposed files included internal documents, email correspondence, software code repositories, digital certificates, cryptographic keys, and user credentials.
## Election Infrastructure Separate and Secure
The attack also drew scrutiny due to **LVM**'s role in developing new functionality for Latvia's electronic voter registration system, which enables voters to cast ballots at any polling station.
Latvian authorities confirmed that the election infrastructure was not compromised. The software was developed in a separate environment, and its code was never stored in **LVM**'s corporate repositories. **CERT.LV** stated it had reviewed every software delivery for that project and found no evidence of malicious code or unauthorized access, concluding the system is safe for upcoming parliamentary elections.
**CERT.LV** also reported that the same threat actor compromised a server belonging to Latvian pharmaceutical company **Olpha**, formerly known as **Olainfarm**. The **Olpha** breach has since been contained, with no evidence of broader damage beyond the affected server.
Authorities clarified that despite being attributed to the same threat actor, the two breaches were technically unrelated.
**CERT.LV** cautioned that the group behind these incidents "continues its activities in Latvian cyberspace, purposefully searching for new potential vulnerabilities in the infrastructures of public- and private-sector organizations."