CERT.LV: ransomware crew breaches Latvia's state forestry operator LVM via a 2-year-unpatched system, hits essential-services provider Olpha, and is probing other EU/NATO institutions
CERT.LV, Latvia's national CERT, confirmed that a foreign, financially-motivated ransomware group breached AS "Latvijas valsts meži" (LVM), the state-owned forestry company, by exploiting a public-facing system that LVM's own IT director says had gone roughly two years without a security update (he declined to name the affected software) (T1190, The Record, 2026-07-09). Initial access was gained on 11 June 2026, but the actor stayed dormant for about eleven days before detonating on the night of 22-23 June — Latvia's prime minister stated publicly that no detection tooling existed to catch the intervening abnormal activity, and CERT.LV separately flagged a gap in LVM's compliance with Latvia's national cybersecurity law (BNN News, 2026-07-02). Before the extortion attempt the actor exfiltrated 44 GB — internal documents, email, business-IT project code repositories, digital certificates and keys, and user passwords together with their hash values — and CERT.LV's incident recommendations state that all authentication material tied to the affected infrastructure must be treated as compromised and rotated (T1078, CERT.LV, 2026-07-03). During analysis CERT.LV found the same actor had also gained unauthorised access to at least one server at AS Olpha (formerly Olainfarm), a Latvian essential-services provider; data there was not encrypted but forensic log deletion was observed (T1070), a technically separate, contemporaneous intrusion by the same group.
The reason this is a signal beyond Latvia: CERT.LV states the group has run comparable operations against other companies and state institutions in NATO and EU member states, and is continuing to probe Latvian public- and private-sector infrastructure for new footholds. CERT.LV's published network-indicator set names Sliver (an open-source red-team C2 framework) alongside generic C2 servers and Proton VPN egress as the observed infrastructure (T1071), and its guidance explicitly calls out legitimate-looking tunnelling services (Cloudflare Tunnel, Microsoft Dev Tunnels, ngrok-class tunnels) as a traffic class defenders should treat as suspicious for this campaign profile (CERT.LV, 2026-07-03).
The attackers exploited a vulnerability in a system that had not been updated for two years, but he did not identify the affected software.
It is unacceptable that there were no detection tools in the system to identify abnormal activity.
Defender actions
- Treat any authentication material (passwords, hashes, service-account credentials, certificates/keys) tied to an internet-exposed system that has gone unpatched for an extended period as already compromised and rotate it — LVM's 44 GB exfiltration included user passwords and their hashes.
- Inventory internet-facing systems for anything unpatched beyond ~1 year and prioritise it for patching or isolation; CERT.LV names long-unpatched exposed systems as the entry point here.
- Hunt for abuse of legitimate tunnelling services (Cloudflare Tunnel, Microsoft Dev Tunnels, ngrok-class tunnels) and open-source C2 frameworks (Sliver) as an egress/C2 class, and deploy out-of-band log retention that survives host encryption or deliberate log deletion.
Sources
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.