ctipilot.ch

CERT.LV LVM/Olpha ransomware intrusion (2026)

incident · incident:cert-lv-lvm-olpha-ransomware-2026

Ransomware/data-extortion intrusion against Latvia's state forestry company LVM (initial access 11 June 2026, detonation 22-23 June) via a ~2-year-unpatched exposed system, 44 GB exfiltrated; the same foreign financially-motivated actor also compromised a server at essential-services provider AS Olpha with log-wiping. CERT.LV assesses the actor has hit other NATO/EU member-state institutions (CERT.LV, 2026-07).

Aliases: Latvijas valsts meži ransomware, LVM cyberattack

Coverage timeline
1
first 2026-07-10 → last 2026-07-10
Peak priority
notable
1 notable
Sources cited
4
3 hosts
Sections touched
1
active-threats
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
4
pinned v19.1 · see below

ATT&CK techniques

4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · ATT&CK page ↗

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · ATT&CK page ↗

Persistence TA0003

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · ATT&CK page ↗

Privilege Escalation TA0004

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · ATT&CK page ↗

Stealth TA0005

T1070Indicator Removal×1

Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.

Evidence: 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · ATT&CK page ↗

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · ATT&CK page ↗

Command and Control TA0011

T1071Application Layer Protocol×1

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · ATT&CK page ↗

Story timeline

  1. 2026-07-10CERT.LV: ransomware crew breaches Latvia's state forestry operator LVM via a 2-year-unpatched system, hits essential-services provider Olpha, and is probing other EU/NATO institutions
    active-threatsCERT.LV warns a financially-motivated crew that breached Latvian state forestry and an essential-services provider is targeting other EU/NATO state institutions

Where this entity is cited

  • active-threats1

Source distribution

  • cert.lv2 (50%)
  • bnn-news.com1 (25%)
  • therecord.media1 (25%)

Entries about CERT.LV LVM/Olpha ransomware intrusion (2026) (1)

2026-07-10 · view entry permalink →

NOTABLE

CERT.LV: ransomware crew breaches Latvia's state forestry operator LVM via a 2-year-unpatched system, hits essential-services provider Olpha, and is probing other EU/NATO institutions

CERT.LV, Latvia's national CERT, confirmed that a foreign, financially-motivated ransomware group breached AS "Latvijas valsts meži" (LVM), the state-owned forestry company, by exploiting a public-facing system that LVM's own IT director says had gone roughly two years without a security update (he declined to name the affected software) (T1190, The Record, 2026-07-09). Initial access was gained on 11 June 2026, but the actor stayed dormant for about eleven days before detonating on the night of 22-23 June — Latvia's prime minister stated publicly that no detection tooling existed to catch the intervening abnormal activity, and CERT.LV separately flagged a gap in LVM's compliance with Latvia's national cybersecurity law (BNN News, 2026-07-02). Before the extortion attempt the actor exfiltrated 44 GB — internal documents, email, business-IT project code repositories, digital certificates and keys, and user passwords together with their hash values — and CERT.LV's incident recommendations state that all authentication material tied to the affected infrastructure must be treated as compromised and rotated (T1078, CERT.LV, 2026-07-03). During analysis CERT.LV found the same actor had also gained unauthorised access to at least one server at AS Olpha (formerly Olainfarm), a Latvian essential-services provider; data there was not encrypted but forensic log deletion was observed (T1070), a technically separate, contemporaneous intrusion by the same group.

The reason this is a signal beyond Latvia: CERT.LV states the group has run comparable operations against other companies and state institutions in NATO and EU member states, and is continuing to probe Latvian public- and private-sector infrastructure for new footholds. CERT.LV's published network-indicator set names Sliver (an open-source red-team C2 framework) alongside generic C2 servers and Proton VPN egress as the observed infrastructure (T1071), and its guidance explicitly calls out legitimate-looking tunnelling services (Cloudflare Tunnel, Microsoft Dev Tunnels, ngrok-class tunnels) as a traffic class defenders should treat as suspicious for this campaign profile (CERT.LV, 2026-07-03).

The attackers exploited a vulnerability in a system that had not been updated for two years, but he did not identify the affected software.

The Record (Recorded Future News) 2026-07-09

It is unacceptable that there were no detection tools in the system to identify abnormal activity.

BNN News (Baltic News Network) 2026-07-02
incident10 Jul 04:36Zmulti-sourceOpen finding ↗