ctipilot.ch
← Back to the live brief
NOTABLEincidentNATOA2

CERT.LV: ransomware crew breaches Latvia's state forestry operator LVM via a 2-year-unpatched system, hits essential-services provider Olpha, and is probing other EU/NATO institutions

discovered 2026-07-10 04:36 UTCrun 2026-07-10T0409Z-intel4 sourcesmulti-source

CERT.LV, Latvia's national CERT, confirmed that a foreign, financially-motivated ransomware group breached AS "Latvijas valsts meži" (LVM), the state-owned forestry company, by exploiting a public-facing system that LVM's own IT director says had gone roughly two years without a security update (he declined to name the affected software) (T1190, The Record, 2026-07-09). Initial access was gained on 11 June 2026, but the actor stayed dormant for about eleven days before detonating on the night of 22-23 June — Latvia's prime minister stated publicly that no detection tooling existed to catch the intervening abnormal activity, and CERT.LV separately flagged a gap in LVM's compliance with Latvia's national cybersecurity law (BNN News, 2026-07-02). Before the extortion attempt the actor exfiltrated 44 GB — internal documents, email, business-IT project code repositories, digital certificates and keys, and user passwords together with their hash values — and CERT.LV's incident recommendations state that all authentication material tied to the affected infrastructure must be treated as compromised and rotated (T1078, CERT.LV, 2026-07-03). During analysis CERT.LV found the same actor had also gained unauthorised access to at least one server at AS Olpha (formerly Olainfarm), a Latvian essential-services provider; data there was not encrypted but forensic log deletion was observed (T1070), a technically separate, contemporaneous intrusion by the same group.

The reason this is a signal beyond Latvia: CERT.LV states the group has run comparable operations against other companies and state institutions in NATO and EU member states, and is continuing to probe Latvian public- and private-sector infrastructure for new footholds. CERT.LV's published network-indicator set names Sliver (an open-source red-team C2 framework) alongside generic C2 servers and Proton VPN egress as the observed infrastructure (T1071), and its guidance explicitly calls out legitimate-looking tunnelling services (Cloudflare Tunnel, Microsoft Dev Tunnels, ngrok-class tunnels) as a traffic class defenders should treat as suspicious for this campaign profile (CERT.LV, 2026-07-03).

The attackers exploited a vulnerability in a system that had not been updated for two years, but he did not identify the affected software.

The Record (Recorded Future News) 2026-07-09

It is unacceptable that there were no detection tools in the system to identify abnormal activity.

BNN News (Baltic News Network) 2026-07-02

Defender actions

  • Treat any authentication material (passwords, hashes, service-account credentials, certificates/keys) tied to an internet-exposed system that has gone unpatched for an extended period as already compromised and rotate it — LVM's 44 GB exfiltration included user passwords and their hashes.
  • Inventory internet-facing systems for anything unpatched beyond ~1 year and prioritise it for patching or isolation; CERT.LV names long-unpatched exposed systems as the entry point here.
  • Hunt for abuse of legitimate tunnelling services (Cloudflare Tunnel, Microsoft Dev Tunnels, ngrok-class tunnels) and open-source C2 frameworks (Sliver) as an egress/C2 class, and deploy out-of-band log retention that survives host encryption or deliberate log deletion.
PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.