Latvian Cybersecurity and CERT.LV Technical Activities: Annual Report 2023

“Building and strengthening its strategic cooperation at national and international level, and contributing to NATO’s collective defence in Europe, the CERT.LV team works tirelessly to ensure that Latvia is a tough and difficult target for cyber attackers. Latvia’s approach is based on targeted cyber threat visibility and getting early intelligence, on processing it and responding at operational and strategic policy levels. Every detected threat indicator goes into a centralised active protection infrastructure, the DNS firewall, aimed to effectively protect every person living in Latvia, every company and organisation that uses the protection provided by CERT.LV,” says Varis Teivāns, Deputy manager of CERT.LV. 

Summary

Since the start of the Russia-Ukraine war, the level of cyber threats in Latvia has been high, some cyberattacks increasing sevenfold. At the same time, the cyberspace situation is stable and Latvia’s information technology (IT) infrastructure resillience towards cyberattacks increases daily. To this day, cyberatacks have not had a significant or lasting impact on the public, it’s security and essential services.

However, the findings from the CERT.LV conducted threat hunting operations are concerning: almost a third of public sector institutions suffered, with varying degrees of impact, from cyberattacks linked to other countries (including Russia).

This reaffirms the need to be able to monitor the compliance of the minimum cybersecurity requirements in the country, the need for readily available and effective cybersecurity services, as well as the necessity to be able to process high volumes of information technology telemtry, that would in-hand enable high-quality support for the public sector’s technical and human resources against ever growing cyber threats. To find out more about the free services offered by CERT.LV, visit https://cert.lv/lv/pakalpojumi.

Threat hunting operations

Threat hunting operations – proactive searching for cyberattackers – CERT.LV, on its  own and in conjunction with allied nations has been conducting these operations in Latvia’s critical IT infrastructure and other high-priority entities since 2022.

With more than 100,000 devices analysed in 25 organisations by the end of 2023, Latvia is European Union’s leader in organising and conducting threat hunting operations. In a third of the organisations, the presence of an attacker from another country (APT) was identified with high confidence, whereby the identified attacker presence was eliminated, and other significant threats were found that the target organisations were able to handle through data-based decisions.

Attackers supported by other countries used a variety of intrusion techniques to gain access to critical government and IT infrastructure assets, including authentication spoofing, exploiting publicly known vulnerabilities, compromising websites, compromising VPN and e-mail gateways, phishing, and targeted delivery of malware via e-mail. In more than five cases, the attacker gained initial access by compromising IT support, software development, or security service providers, in the private sector, using the opportunity to gain access to the corporate networks and information systems of these organisations’ clients. Insecurely configured websites or information systems  and exposed to the public network were often compromised, with the use of remote control services (RDP) and malware deliveries via e-mail.

After gaining initial access, attackers most often sought to expand their presence in the corporate network and to compromise the Windows Active Directory infrastructure in order to gain as much control as possible. It is in the initial phase of an attack that the attacker’s actions are the least circumspect, more visible, and more easily preventable, which is why centralised and efficient collection and processing of telemetry from corporate networks, servers, and the entire security perimeter is critical. In order to effectively protect the information technology infrastructure of organisations, CERT.LV offers a broad range of cybersecurity services to the entities subject to the Law on the Security of Information Technologies.

Politically motivated denial of service (DDoS) attacks

Politically motivated denial of service (DDoS) attacks conducted by pro-Russia hacktivist groups continue to take place in waves, targeting Latvia’s government institutions and businesses in certain sectors. The share of successful attacks is decreasing, which is a testament to the readiness of Latvia’s information technology infrastructure, the effectiveness of the centralised defence service funded by the Ministry of Defence, and the ability of telecommunications operators to provide their services even when subjected to a prolonged external attack. It is essential to prevent the involvement of Latvia’s IT infrastructure in cyberattacks and the possibility of attacks from within the country, as Russian-linked telecommunications companies are deliberately building a presence in Latvia and other EU member states.

Financially motivated attacks

Financially motivated attacks continue to be executed via phishing, as well as with fraudulent investment platforms, defrauding the Latvian public of more than 1 million euros every month. Companies continue to receive business-email-compromise (BEC) attacks, attackers gaining access to transaction e-mail chains and sending invoices with modified payment details, for real transactions.

For a long time, Russian was the language of choice for scammers, however towards the end of the year, fluent Latvian, both spoken and written was becoming more prevalent in fraudulent campaigns. It is expected that attackers will make increasing use of new technologies, including “artificial intelligence” / large language models, to improve the quality of the fraudulent schemes and language in which it is delivered, the forging of voice and imagery, as well as disinformation campaigns and the creation of misleading content.

Vulnerabilities and vulnerable IT systems

Vulnerabilities and vulnerable IT systems are a growing risk, affected by newly discovered critical vulnerabilities, incorrectly configured IT systems, and outdated IT solutions. The most capable attackers are becoming faster, exploiting recently discovered vulnerabilities on a large scale within 1–2 days of their disclosure. Supply chain attacks were observed against organisations with high levels of security – gaining access to the target infrastructure by attacking outsourced software developers and other service providers.

Taking into account Ukraine’s experience in its full-scale war with the aggressor state, Russia, the CERT.LV team carried out a number of different controlled intrusion attempts and vulnerability awareness measures in Latvian IP address ranges and .lv domain zone, in order to identify vulnerable systems before an attacker does it. A search for publicly exposed and vulnerable surveillance cameras was also carried out, finding more than 200 devices at sites where unauthorised or even public video surveillance was not desirable.

The coordinated vulnerability disclosure platform cvd.cert.lv was created, which successfully serves as a bridge for communication between cybersecurity researchers (white-hat hackers) and Latvian institutions and companies.

During the reporting period, CERT.LV conducted 16 large-scale IT security tests and several controlled attack simulations, during which a number of significant vulnerabilities were found and eliminated. Automated security scans of more than 2700 gov.lv domains identified dozens of assets with outdated versions containing publicly known vulnerabilities. As part of the CERT.LV services, phishing attacks were simulated, the vigilance of more than 8000 government institution employees was tested, and the ability of target institutions to identify data leaks was checked.

Operational technology (OT) and industrial control system security

Operational technology (OT) and industrial control system security research was conducted, examining the security of operational systems in the energy and transport industries. By analysing the protocols and alarms, and reverse-engineering industrial control system software, new insights were gained and security risks were identified. The inspections identified previously unknown security risks, all of which could be controlled by putting appropriate procedures in place.

A project on OT sensors was launched and Latvia’s first OT Security Operations Centre was established, providing the necessary expertise and support to the controllers of the country’s critical IT infrastructure.

DNS firewall

The DNS firewall is an active security solution that protects users against fraudulent websites and maliciously registered domain names, and is provided free of charge by CERT.LV and NIC.LV. Since 2022, the use of the service has increased 5 times, processing 1.5 million DNS requests per month. In Q4 2023, the service prevented (unique) users from visiting malicious sites about half a million times. In Autumn 2024, the DNS firewall mobile application is expected to be available for Apple iOS and Android mobile devices