Latvia’s state-owned forestry company LVM was hit by a ransomware attack several weeks ago and many of its internal and customer-facing services remain offline. The attackers gained access by exploiting a vulnerability in an outdated system. LVM has not paid the ransom demand. According to The Record, a foreign, financially motivated group carried out the attack.
LVM is one of Latvia’s largest state-owned enterprises, managing roughly half the country’s forests and running timber operations at significant commercial scale. Taking it offline is not a minor disruption. The company is still in the process of restoring its IT environment and no timeline for full recovery has been published.
An Outdated System Left the Door Open
LVM has confirmed the attackers exploited an outdated system vulnerability. No CVE has been disclosed and the affected product has not been named publicly. That is a significant gap. Without knowing which component was targeted, other organisations in the same sector cannot assess whether they carry the same exposure.
The pattern is familiar and the lesson is unchanged, unpatched legacy systems in operational environments are the entry point of choice for financially motivated ransomware groups. This was not a zero-day. The vulnerability was known. The company had not addressed it.
Attribution Stays at “Financially Motivated” for Now
Latvian authorities and LVM have described the attackers as a foreign, financially motivated group. No ransomware gang has been named publicly and no group has claimed the attack. That level of attribution is appropriate at this stage. Anyone claiming to know exactly who is behind this within days of an incident should be pressed on their evidence.
The financially motivated framing does however narrow the field. State-directed operations against a forestry company carry limited strategic logic. This looks like an opportunistic attack against a large organisation with a legacy IT estate which is precisely the profile these groups target for maximum leverage.
State-Owned Does Not Mean Well-Defended
LVM’s experience reinforces a point that often gets lost in discussions about critical infrastructure security, state ownership does not translate into strong cyber hygiene. Public sector and state-adjacent organisations across the Nordics and Baltics frequently carry technical debt accumulated over decades of underinvestment in IT modernisation. Attackers know this and price it into their target selection.
Sweden’s Sveaskog, the state-owned forestry company managing around 14% of Sweden’s productive forest land, operates a comparable IT-dependent operational model across timber logistics, land management and customer services. There is no indication Sveaskog has been targeted but the LVM attack is a direct prompt to review patch status on any legacy systems sitting in or adjacent to operational infrastructure.
Patching Is the Only Actual Fix Here
The remediation for this attack is not complex. It is just chronically underdone. Maintain a current inventory of every system in your environment including those that predate your current IT team. Map which ones are internet-facing or accessible from external networks. Prioritise patching based on exposure, not age of the vulnerability.
If a system cannot be patched because it runs software that will not support a current OS, isolate it. Put it behind strict network segmentation with no unnecessary external access. Document the risk formally and ensure management has signed off on the decision to leave it in place. That paper trail matters when regulators ask questions and under NIS2 they will.
Offline, tested backups remain the single most effective control for limiting ransomware damage once an attacker is already inside. LVM’s refusal to pay suggests the company had enough backup integrity to attempt recovery. Weeks of downtime is the cost of that decision. It is still the right call.
References
This post is also available in: