Police Reveal Impersonator Intervened in LVM Hacker Attack Case
Latvian State Police announced that an unauthorized person posed as a representative of AS "Latvijas valsts meži" (LVM) and communicated with the cybercriminal. Meanwhile, cybersecurity expert Elviss Strazdiņš, who publicized attack details, claims a criminal case has been opened against him.
The Latvian State Police have provided new information regarding the cyber extortion case against AS "Latvijas valsts meži" (LVM). The investigation revealed that an unrelated individual impersonated an LVM representative without any authorization and engaged in communication with the hacker, discussing a potential ransom for data decryption. The police emphasized that these actions were not coordinated with any involved authority. A review is being conducted within the existing criminal proceedings initiated for the cyberattack on LVM infrastructure. No arrests have been made.
The police stated that no one has the right to arbitrarily interfere with the investigation, impersonate a victim organization, or take actions that could hinder evidence collection or cause irreversible consequences. At the same time, they noted that they are not refusing assistance, but no one has contacted them regarding this matter.
This announcement has drawn negative public reaction, with many commentators expressing dissatisfaction with the police's approach. Previously, cybersecurity expert Elviss Strazdiņš posted on social media platform "X" that a criminal case had been opened against him, despite his efforts to publicly disclose technical details of the attack. Strazdiņš had released a video demonstrating how hackers exploited outdated "GeoServer" software to access LVM systems, and revealed his correspondence with the perpetrator.
According to the correspondence, the hacker demanded €600,000 for data decryption, offering a discount to €500,000 if paid via the "Monero" cryptocurrency. Strazdiņš attempted to negotiate a lower sum, but the cybercriminal refused further discussion. The attacker claimed to possess approximately 400 GB of internal documents, 20 GB from GitLab servers containing source code, and 60 GB of employee emails. When asked if the stolen data would be sold, the hacker replied that LVM data was of little interest to anyone.
LVM previously stated that it would not pay any ransom under any circumstances and that all files stored in its IT systems have backups. Responsibility for the attack was claimed by a foreign ransomware group that has conducted similar operations against other companies and government institutions. LVM's IT team is gradually restoring system operations to ensure business continuity.
/nginx/o/2026/06/19/17729257t1h009f.jpg)
