Another Company Identified in Latvijas valsts meži Cyberattack Investigation

The cybercriminal responsible for the attack on Latvijas valsts meži (LVM) also compromised a server belonging to pharmaceutical manufacturer Olpha, Latvia’s national cybersecurity incident response institution Cert.lv informed the LETA news agency.

According to Cert.lv, investigators discovered the breach of Olpha’s server while analysing the cyberattack against Latvijas valsts meži. The institution stressed that the same threat actor was responsible for both incidents, although the attacks were technically unrelated and occurred independently of one another.

Cert.lv has launched an investigation into the incident and has confirmed that at least one of Olpha’s information systems—a server—was accessed without authorisation. However, the data was not encrypted. Investigators also found evidence that log files had been deleted.

At present, Olpha has contained the incident. Only a single server was affected, and the company has so far identified no additional damage resulting from the breach. Cert.lv noted that the forensic investigation is continuing in cooperation with the company.

According to Cert.lv’s cyber threat monitoring data, the foreign financially motivated ransomware group responsible for the attack remains active in Latvia’s cyberspace.

The institution said the ransomware group is systematically searching for new vulnerabilities in the infrastructure of both public and private sector organisations.

To help organisations identify potential threats at an early stage, Cert.lv has published the network indicators of compromise (IoCs) identified during the Latvijas valsts meži incident. The list of indicators may be updated as new information becomes available.

Cert.lv urges organisations—particularly entities covered by Latvia’s National Cybersecurity Law and operators of critical infrastructure that do not yet use Cert.lv services—to incorporate these indicators into their network monitoring.

In connection with the Latvijas valsts meži cyber incident, Cert.lv has also published recommendations aimed at strengthening the cyber resilience of IT infrastructure. The guidance is intended to help public institutions and private organisations reduce cyber risks and improve their ability to detect and respond to attacks at an early stage.

The indicators of compromise and Cert.lv’s recommendations are available on the institution’s website.

Earlier, Cert.lv told LETA that the attackers had leaked 44 gigabytes of data stolen during the cyberattack on Latvijas valsts meži, although the total amount of compromised data is believed to be significantly larger.

According to the institution, the leaked information mainly consists of internal documents, email correspondence and attachments, the company’s business IT project source code repositories, various system certificates and cryptographic keys, as well as user passwords and password hash values.

While analysing the leaked data, Cert.lv is identifying potential risks to third parties and immediately notifying affected organisations so they can change authentication credentials and implement additional preventive measures. The institution is also systematically identifying all exposed certificates and cryptographic keys and coordinating their replacement.

Cert.lv emphasised that, following an incident of this nature, all authentication credentials and access data associated with the affected infrastructure should be considered compromised and must be replaced.

The institution also noted that, because the leaked data may include personal information, the company has notified Latvia’s Data State Inspectorate (DVI).

Latvijas valsts meži previously stated that any potential data exfiltration resulting from the cyberattack was halted at 8:30 a.m. on 22 June, when the company began systematically disconnecting its entire IT infrastructure.

According to the company, Cert.lv was informed immediately after the incident was detected. Following the institution’s recommendations, LVM completely blocked internet access to its IT infrastructure by 10:15 a.m. on the same day.

Since containing the attack, LVM’s IT specialists have been working under emergency procedures to restore all affected systems. The company says that, in close cooperation with Cert.lv, no further data leaks have been detected since the initial breach.

The cyberattack on Latvijas valsts meži’s IT infrastructure was discovered on 22 June. As a precaution, several externally accessible IT systems—including LVM GEO, the company’s mapping services platform, and the Mednis hunting application—were taken offline. Several internal systems used for information exchange with customers and business partners were also disconnected.

Responsibility for the attack has been claimed by a foreign ransomware group. Latvia’s State Police have launched a criminal investigation, while Cert.lv continues to analyse the circumstances surrounding the incident.

Cybersecurity expert Elviss Strazdiņš previously stated that he had communicated with the individual or group claiming responsibility for the attack and learned that the attackers allegedly demanded a ransom equivalent to 0.1% of the company’s annual revenue—more than €600,000—in exchange for decrypting the data.

As previously reported by LETA, Olpha (formerly Olainfarm) generated consolidated revenue of €126.874 million in 2024, down 2.9% from the previous year, while net profit declined 28% to €38.648 million. The group’s financial results for 2025 have not yet been published.

Olpha itself reported revenue of €100.782 million in 2024, a decrease of 10.6% compared with 2023, while profit fell 41% to €30.636 million.

The company manufactures finished pharmaceutical products, dietary supplements, chemical substances and active pharmaceutical ingredients (APIs). Established in 1991, Olpha has a registered share capital of €3,000,004. The company is owned by AB City, the parent company of the Repharm Group. The ultimate beneficial owners of AB City are Sergejs Korņijenko, Andrejs Leibovičs, Jeļena Ņikitina and Roberts Tavjevs.

Read also: Latvia’s Central Election Commission explains emergency procedures for polling stations