Thu 09 Jul 2026 / 13:31 ET
Kernel
Security 3 min read

Latvia’s state forest manager is still rebuilding after ransomware breach

LVM says key customer and mapping systems remain disrupted after attackers stole data and exploited an unpatched system.

Mara Chen-Doyle

By Mara Chen-Doyle / Staff Writer

Latvia’s state forest manager is still rebuilding after ransomware breach
img: The Record

Latvia’s state-owned forestry company Latvijas Valsts Mezi, or LVM, is still restoring IT systems weeks after a ransomware attack took down services used by customers, contractors, hunters and mapping users, the company said Thursday.

The disruption is not confined to back-office inconvenience. LVM manages most of Latvia’s state forests, sells timber, maintains public recreation sites and provides geographic information services. When its systems go down, people who buy wood, work on forest contracts or rely on its maps get dragged into the blast radius.

LVM first disclosed the incident in late June. The company said the attack affected its mapping platform, a hunting application, and systems used to exchange information with customers and contractors. Latvian authorities later said the intruders had probably been inside LVM’s network for more than a week before they were found.

Maris Kuzmins, LVM’s chief technology officer, told local media this week that the company has stabilized the situation, but getting systems back to normal remains difficult. He said roughly two-thirds of customers with service agreements still cannot use the affected systems.

According to Kuzmins, the attackers got in through a vulnerability in a system that had not been updated for two years. He did not name the software. That omission leaves outsiders without the useful part of the lesson: which product failed, which patch was missing, and whether other organizations should be checking the same thing today.

LVM has said it has not received a ransom demand. The company also said it would not pay if one arrived.

Stolen files included credentials and keys

Latvia’s national computer emergency response team, CERT.LV, attributed the intrusion to a foreign ransomware group motivated by money. CERT.LV said the same group has previously attacked companies and public institutions in NATO and European Union countries, though officials have not publicly named it.

The attackers published about 44 gigabytes of stolen LVM data online, according to CERT.LV. Investigators believe the attackers viewed or took much more than they released.

CERT.LV said the exposed material included internal documents, email correspondence, software code repositories, digital certificates, cryptographic keys and user credentials. Those last categories matter because they can turn one breach into follow-on work for defenders: certificates may need revocation, keys may need rotation, and exposed passwords may need resets beyond the obvious user accounts.

Election system review found no compromise

The incident drew wider attention because LVM had helped build new features for Latvia’s electronic voter registration system. That system lets voters cast ballots at any polling station.

Latvian authorities said the election infrastructure was not breached. CERT.LV said the election software was built in a separate environment and that its code was not kept in LVM’s corporate repositories.

CERT.LV said it reviewed every software delivery connected to that project and found no evidence of malicious code or unauthorized access. The agency concluded the system is safe to use in the upcoming parliamentary elections.

CERT.LV also said the same threat actor compromised a server at Latvian pharmaceutical company Olpha, formerly Olainfarm. That breach has been contained, and officials said they have found no evidence of wider damage beyond the affected server.

Authorities said the LVM and Olpha intrusions were technically separate, despite being linked to the same actor. CERT.LV warned that the group is still active in Latvian cyberspace and is looking for vulnerabilities in both public- and private-sector infrastructure.

This story draws on original reporting from The Record.

More Security/

view all ↗