What Was Leaked After the Cyberattack on Latvijas valsts meži? Cert.lv Explains

So far, the attacker has leaked 44 gigabytes of data stolen during the cyberattack on Latvijas valsts meži (LVM), although the total volume of data potentially obtained is likely to be much larger, according to Latvia’s national cybersecurity incident response institution, Cert.lv.

According to the institution, the leaked data mainly consists of internal documents, email correspondence and attachments, LVM’s business IT project source code repository, certificates and cryptographic keys for various systems, as well as user passwords and password hash values.

Cert.lv stressed that the primary impact of the incident falls on the company and its operations. LVM’s priority is to restore its systems, ensure business continuity, and minimise the impact of the cyberattack on its core activities.

While analysing the leaked data, Cert.lv is identifying potential risks to third parties and is immediately notifying affected organisations of the need to change authentication credentials and implement other preventive security measures. In addition, all certificates and cryptographic keys found in the leak are being systematically identified and replaced.

The institution emphasised that, during recovery from an incident of this kind, all access credentials and authentication data associated with the affected infrastructure must be considered compromised and replaced.

Cert.lv also noted that, given the possibility that personal data may have been exposed, LVM has notified the Data State Inspectorate (DVI).

Regarding public concerns about the development of Latvia’s election system, Cert.lv explained that LVM had only been responsible for developing additional functionality for the Electronic Online Voter Register (ETVR). The work was carried out by a four-person team, and the source code was not stored in LVM’s business code repositories. Instead, software deliveries were made from a separate, isolated environment directly to a dedicated code repository maintained by the State Digital Development Agency (VDAA).

Cert.lv said it had verified every software delivery from LVM and compared every line of code transferred to VDAA. No malicious modifications or unauthorised access to these components were detected, meaning the software is considered safe to use.

LVM previously stated that any possible data exfiltration resulting from the cyberattack was stopped at 8:30 a.m. on 22 June, when the company began systematically disconnecting its entire IT infrastructure.

The company explained that it immediately informed Cert.lv of the incident. Following the institution’s recommendations, all internet access to LVM’s IT infrastructure was completely blocked by 10:15 a.m. on the same day.

Since containing the attack, LVM’s IT specialists have been working around the clock, including throughout the public holidays, to restore all IT systems. Working closely with Cert.lv, the company says no additional data leaks have been detected since the attack was contained.

LVM has reported the cyberattack to the State Police, the Data State Inspectorate, and other law enforcement authorities. The company has also informed its customers and business partners about the cybersecurity incident and the identified personal data breach.

As previously reported, the cyberattack on LVM’s IT infrastructure was detected on 22 June. As a precaution, the company disconnected several externally accessible systems, including LVM GEO, its mapping services, and the Mednis hunting application. Several internal systems used for communication with customers and service providers were also taken offline.

Responsibility for the cyberattack has been claimed by a foreign ransomware group. The State Police have launched a criminal investigation, while Cert.lv continues to investigate the circumstances of the incident.

Cybersecurity expert Elviss Strazdiņš previously stated that he had communicated with the individual or group claiming responsibility for the attack and learned the alleged ransom demand. According to him, the attackers demanded 0.1% of LVM’s annual revenue—more than €600,000—in exchange for decrypting the company’s data.

In 2025, LVM reported revenue of €604.585 million, up 3.2% from the previous year, while profit increased by 37.7% to €206.73 million.

Founded in 1999, Latvijas valsts meži (LVM) manages Latvia’s state-owned forests. The company has share capital of €525.989 million, is wholly owned by the Latvian state, and its shareholder is the Ministry of Agriculture.