In the first 11 months of 2025, the number of identified vulnerable devices reached 1.16 million, which is historically the highest figure, reported LETA the deputy head of the incident prevention agency Cert.lv, Varis Teyvans.
He noted that the level of cyber threats in Latvia has remained high since 2022, with periods of low intensity now in the past, and residents and organizations in the digital environment are constantly exposed to risks. Every day, Cert.lv processes several million threat indicators, of which over 2,500 have been classified as cyber incidents and manually processed over the course of 11 months — the highest figure to date.
To strengthen cybersecurity in Latvia and create a multi-layered cyber defense, Cert.lv provides 15 different free services to government institutions, critical infrastructure owners, and providers of essential and important services — including incident response support, threat hunting operations, penetration testing, security operations center services, vulnerability notification platform, training, and other services. A DNS firewall, which protects against visiting fraudulent websites, is also available to every resident and business in Latvia. This year, in less than 12 months, the DNS firewall has blocked 12 million attempts to access malicious sites, Teyvans noted.
He emphasized that Cert.lv is a leader in the European Union (EU) in guiding cyber threat hunting operations — joint threat hunting operations have been implemented with NATO allies, and a training course on threat hunting has been created. Since 2022, thanks to such operations, cybersecurity has been significantly improved at more than 40 public sector and critical infrastructure sites. Almost one-fifth of the analyzed devices had the presence of state-sponsored malicious actors identified and eliminated. The training course involved cybersecurity experts from over 27 NATO member countries, and it is planned to regularly offer the course to partners from other countries, as there is significant interest in it.
The range of attacks observed last year was wide: both financially motivated cybercriminals' activities and actions by state-sponsored groups were recorded. Fraud is quantitatively the largest and fastest-growing threat, with a 36% increase compared to 2024. Fraudsters impersonate government institutions, popular service providers, or platforms, Teyvans reported.
He noted that in the rush, victims can also be residents who seem well-prepared to recognize fraud. Data from the Financial Industry Association indicates that in the first three quarters of 2025, residents of Latvia were defrauded of nine million euros. Fraudulent phone calls have the most significant impact.
Teyvans pointed out that ransomware viruses, which encrypt data and demand a ransom for its recovery and potentially for non-disclosure, have the greatest impact on businesses. These attacks cause downtime as well as financial and reputational losses. Backup copies, a business continuity plan, and its testing play a crucial role in reducing the impact of ransomware viruses.
He also noted that denial-of-service (DDoS) attacks aimed at disrupting access to certain websites or services and creating public resonance have not disappeared, but their nature is becoming more wave-like and is often associated with public statements by officials that contradict the ideology of a specific group of malicious actors or state. In most cases, such attacks occur without affecting the operation of services. Not all service disruptions are related to DDoS attacks, as technical malfunctions also occur.
Cyberattacks directed against Latvia and supported by other states mainly originate from Russia, and this is likely to continue. Currently, it is observed that these attacks are expanding, attempting to cover as wide a range of targets as possible; however, the execution of attacks is becoming more superficial, carried out according to specific schemes and increasingly predictable, while countermeasures are developing, making Latvia a less attractive target for attackers, Teyvans noted.
At the same time, Teyvans emphasized that the greatest stumbling block regarding residents and cybersecurity remains the lack of understanding of how various services work and how to distinguish legitimate communication from companies or institutions. For example, confirming identity does not require entering the PIN2 Smart-ID, institutions will not call and communicate with residents in Russian, and if confirmation of Smart-ID is suddenly requested while the person is not taking any action, they should not enter the code, as this action was initiated by someone else.
Cert.lv is a structural unit of the Institute of Mathematics and Computer Science of the University of Latvia, whose tasks include maintaining a unified overview of processes occurring in the electronic information environment, providing support in preventing information technology security incidents, or coordinating their prevention in the zones of Latvian IP addresses and the domain zone '.lv'.
