// 3 ZERO-DAY · 1 CVE · 2 EXPLOIT IN THE LAST 24H
Latvia's state-owned forestry company Latvijas valsts meži (LVM) remains paralyzed weeks after a June 22 ransomware attack. Roughly two-thirds of contract customers still lack system access. Attackers exploited a vulnerability in a system unpatched for two years, dwelled in the network for over a week before detection, and leaked 44 GB of data — including source code, certificates, cryptographic keys, credentials, and password hashes. CERT.LV attributes the intrusion to a foreign, financially motivated ransomware group with a history of targeting NATO and EU entities. LVM's CTO calls restoration "quite challenging" with no completion date in sight.

On June 22, 2026, Latvia's state-owned forestry company Latvijas valsts meži (LVM) detected a ransomware attack. As of July 7 — more than two weeks later — restoration remains "quite challenging," and roughly two-thirds of customers with service contracts are still cut off from systems. The case maps a systemic failure: a single system left unpatched for two years opened the door to a resilience crisis that spilled data, froze operations, and raised questions about IT governance in the Latvian state.

Key Takeaways
  • LVM suffered a ransomware attack detected June 22, 2026; restoration is still underway as of July 7, with roughly two-thirds of contract customers still lacking system access.
  • Attackers exploited a vulnerability in a system unpatched for two years; the specific software has not been publicly identified.
  • \li>CERT.LV confirms the threat actor was inside the LVM network for over a week before detection; it is a foreign, financially motivated ransomware group with prior operations against NATO and EU countries.
  • Approximately 44 GB of data were leaked, but the total volume potentially obtained is presumably much larger; files include internal documents, emails, source-code repositories, digital certificates, cryptographic keys, credentials, and password hashes.

The Hidden Vulnerability: Two Years of Neglected Maintenance

LVM CTO M\u0101ris Kuzmins stated that attackers exploited "a vulnerability in a system that had not been updated for two years." He did not identify the software involved, but the technical profile suggests an externally exposed system or one reachable via lateral movement by actors already inside the network. The lack of maintenance is not a matter of a patch missed by a few weeks: it describes a software lifecycle left to rot through at least two seasons of security updates.

The lateral dwell time lasted more than a week. According to CERT.LV, the attackers were already inside the LVM network when staff detected the anomaly on June 22. That interval allowed reconnaissance, lateral movement, and likely the selection of high-value targets for double extortion: encryption and leak. The technique aligns with mature ransomware groups that treat initial access as a commodity to be exploited optimally before the noise of encryption begins.

The Exfiltration: 44 GB Leaked, but the Damage Is Wider

CERT.LV confirmed that the attacker published 44 GB of stolen data online, noting that "the total volume of data potentially obtained is presumably much larger." The gap between accessible data and leaked data leaves a shadow over how much material remains in the group's hands and how much could be monetized or resold later.

According to convergent sources, the leaked content ranges from corporate correspondence to IT source-code repositories, digital certificates, cryptographic keys, user credentials, and password hashes. Cybersecurity expert Elviss Strazdi\u0146\u0161 reported communicating directly with the attackers and learning of a ransom demand equal to 0.1% of LVM's 2025 revenue: over \u20ac600,000. LVM stated it received no formal demand and refuses to pay in any case. The discrepancy between these two accounts remains unresolved: the cited source does not specify whether Strazdi\u0146\u0161 acted on behalf of LVM or independently.

"returning operations to normal remains 'quite challenging'" \u2014 M\u0101ris Kuzmins, CTO LVM

The Operational Paralysis: From LVM GEO to the Mednis App

The operational impact extends beyond IT. Offline systems include the LVM GEO mapping platform, the Mednis hunting application, and information-exchange channels with contractors and clients. For a state forestry company managing roughly 50% of the national territory, the loss of geospatial visibility and the break in the logistics chain with contractors constitute structural damage, not merely a technical inconvenience.

Containment was executed through total disconnection of IT infrastructure starting at 08:30 on June 22, with complete internet access blocked by 10:15. The decision halted propagation but also turned the acute emergency into a chronic restoration. As of July 7 the situation is "stabilized," but the path to normality still proceeds in stages. The CTO provided no completion date.

The Electoral Code and the Boundary with the State

One branch of the attack touched the sensitive boundary between state-owned enterprise and state institutions. LVM developed code for Latvia's electronic voter registration system. CERT.LV verified every software delivery in a separate environment, confirming the code contains no malicious modifications and is "safe to use in the upcoming parliamentary elections." The delivery-by-delivery analysis ruled out compromise of the electoral pipeline.

The verification is reassuring but not dispositive: it shows the disaster was contained, not that the conditions enabling it were acceptable. A forestry company with an obsolete GIS system that also manages electoral software components raises questions about architectural segmentation and risk classification in Latvian public administration. Baltic Focus estimated that roughly 7,000 employee passwords were stolen, a figure attributed to media sources and not confirmed by CERT.LV.

The Geopolitical Context: A Group with Systemic Appetite

CERT.LV characterized the group behind the attack as a foreign, financially motivated ransomware entity with a track record of targeting companies and public institutions in NATO and EU countries. The same group compromised a server at pharmaceutical firm Olpha, but the two attacks are technically unrelated: no infrastructure overlaps linking the two operations have emerged to date.

The group "continues its activities in Latvian cyberspace, systematically seeking new potential vulnerabilities," according to CERT.LV. This indication of a systemic, not opportunistic, pattern places the LVM incident in a broader threat arc. For a NATO country of 1.9 million people with strategic forest assets, the frequency and precision of ransomware targeting constitute a pressure vector that goes beyond direct economic damage.

Why It Matters

LVM has not published a restoration cost estimate, but its 2025 revenue of \u20ac604.585 million and profit of \u20ac206.73 million provide the scale: a \u20ac600,000 ransom represents a minimal fraction, while the operational cost of weeks of blackout is presumably far higher. The case documents how neglected preventive maintenance on a single system can trigger an avalanche collapse with recovery costs far exceeding those of routine management.

CERT.LV has notified the State Police, the State Data Inspectorate (DVI), customers, and business partners. The notification chain is active, but the dossier does not specify internal corrective measures adopted by LVM or disciplinary actions for the failure to maintain the vulnerable system. The estimated time for restoration completion remains undeclared.

The identity of the ransomware group, the exact CVE, and the specific obsolete software have not been disclosed. These gaps reduce the ability of third parties to verify their own exposure through concrete indicators of compromise and leave risk assessment based on generic profiles rather than reproducible technical signatures.

FAQ

Was Latvia's electronic voting system compromised?

No. CERT.LV verified every LVM software delivery related to the electoral system in a separate environment, confirming the absence of malicious modifications. The code was deemed safe for the upcoming parliamentary elections.

How long did the attackers dwell in the network?

According to CERT.LV, more than a week before detection on June 22, 2026.

What is the latest status on restoration?

As of July 7, 2026, CTO M\u0101ris Kuzmins stated that restoration remains "quite challenging" and that roughly two-thirds of customers with service contracts still lack system access. No completion date has been indicated.

Sources

Information verified against cited sources and current as of publication.

Sources


Sources and references
  1. therecord.media
  2. eng.lsm.lv
  3. bnn-news.com
  4. balticfocus.org
  5. cert.lv