Hacker remained undetected in “Latvijas valsts meži” system for several days

A hacker had gained access to the IT systems of Latvia’s state-owned forestry company “Latvijas valsts meži” (LVM) as early as 11 June but only began carrying out active operations during the night of 22–23 June, Prime Minister Andris Kulbergs told journalists on Thursday following a Cabinet meeting on the cyberattack.

However, the hacker remained undetected in the system for several days.

“It is unacceptable that there were no detection tools in the system to identify abnormal activity,” Kulbergs said.

The Prime Minister acknowledged that no organisation is immune to cyberattacks and noted that such incidents occur frequently every month. He said the government is still determining who bears responsibility in the LVM case. According to Kulbergs, key questions include why LVM had not implemented the requirements of Latvia’s National Cybersecurity Law and how the cybersecurity audit failed to identify these shortcomings.

Current information indicates that LVM has recovered 85% of the information obtained by the hacker.

Kulbergs stressed that the incident does not pose a threat to national security, although some of the leaked material contains sensitive information whose classification is still being assessed. A separate meeting will be held to address that issue.

He also reiterated that neither Latvia’s election system nor the election module developed by LVM was affected.

Kulbergs added that both in the LVM case and more broadly within the state, there is a lack of a single coordinating authority. In his view, that role should be performed by the Crisis Management Centre.

When Kulbergs was informed of the cyber incident, he was abroad, so Defence Minister Raivis Melnis convened the first meeting of the responsible institutions on 25 June.

Speaking to journalists on Thursday, Melnis emphasised that cybersecurity is also the responsibility of every organisation and individual. He said Latvian institutions are working together to provide coordinated support in such situations.

Participants at the meeting agreed that LVM would take the lead in communicating with the public about the incident, with support from Cert.lv and the Crisis Management Centre. LVM is working alongside Cert.lv and other specialised organisations to restore its systems.

The Ministry of Defence also pledged to support institutions in implementing business continuity plans.

Kulbergs announced that he will issue a formal resolution assigning specific cybersecurity responsibilities to the relevant authorities.

LETA previously reported that the Cabinet held a special meeting on Thursday to hear reports from responsible institutions on the cyber incident and Latvia’s overall cybersecurity situation, while also discussing improvements to existing procedures.

The cyberattack on LVM’s IT infrastructure was detected on 22 June. As a precaution, several externally accessible systems, including LVM GEO, the map services platform and the Mednis hunting application, were taken offline. Several internal systems used for communication with business partners and clients were also disconnected.

A foreign ransomware group has claimed responsibility for the attack. Latvia’s State Police have launched a criminal investigation, while Cert.lv is assisting with the technical investigation.

Cybersecurity expert Elviss Strazdiņš previously said he had contacted the attackers and learned that they had allegedly demanded a ransom equal to 0.1% of the company’s annual revenue—more than €600,000—in exchange for decrypting the stolen data.

Read also: Latvia’s Central Election Commission explains emergency procedures for polling stations