Hacker Lurked in LVM System for Days Before Attack Discovered
Prime Minister Andris Kulbergs revealed that a hacker had accessed the system of Latvia's state forest company LVM on June 11 but only began malicious activities on June 22–23, remaining undetected for days.

During a government meeting on Thursday, Prime Minister Andris Kulbergs disclosed that a hacker had infiltrated the IT system of AS "Latvijas Valsts meži" (LVM) as early as June 11, though actual disruptive actions began only on the night of June 22–23. The intruder went unnoticed for several days, which Kulbergs deemed unacceptable, highlighting the lack of identification tools to detect anomalies.
Kulbergs emphasized that no entity is immune to cyberattacks and such incidents occur frequently. He is still identifying those responsible in the LVM case, particularly questioning why the company had not implemented the requirements of the National Cybersecurity Law and how an auditor had overlooked this.
Currently, LVM has recovered 85% of the data accessed by the hacker. Kulbergs stated that there is no threat to the state, but sensitive information was compromised, the status of which requires further evaluation. He reiterated that the election system and its associated module were not affected.
The Prime Minister acknowledged a lack of a single responsible coordinator for cybersecurity at LVM and nationally, suggesting that the Crisis Management Center should fulfill this role. He plans to issue a resolution assigning duties to relevant parties.
Defense Minister Raivis Melnis stressed that cybersecurity is everyone's responsibility and that state institutions can provide synchronized support. The meeting agreed that LVM, supported by "Cert.lv" and the Crisis Management Center, will handle public communication.
The cyberattack on LVM was detected on June 22, prompting the shutdown of several external and internal systems, including "LVM GEO," map services, and the hunting app "Mednis." A foreign ransomware group claimed responsibility, and the State Police have launched a criminal investigation. Cybersecurity expert Elviss Strazdiņš reported that the attackers demanded a ransom of 0.1% of LVM's annual revenue, or over 600,000 euros.
/nginx/o/2026/04/20/17573457t1h086f.jpg)

