CERT.LV activity review Q2 2024

Latvia faces a persistently high level of cyber threats driven by financial, political, and ideological motives. The cyber threat landscape is evolving with increasingly sophisticated attacks that exploit human error and technological weaknesses. Attackers skillfully use phishing, targeted malware, and weak authentication mechanisms to breach defenses.

In Q2 2024, 388,922 compromised unique IP addresses were logged on CERT.LV, the highest in two years. This is an increase of 11% compared to the previous quarter and 16% compared to Q2 last year.

At the same time, the situation in cyberspace is stable and well protected. Latvia's information and communication technology (ICT) infrastructure is increasingly resilient to cyber-attacks, which have so far had no significant or lasting impact on society, its security and critical services. We can be proud of our excellent cyber security professionals. However, this should not allow us to relax, as cybersecurity is constantly evolving, which makes it necessary to seek and implement new measures to increase cyber resilience.

Key cybersecurity threats and trends: One high-profile cyber-attack was recorded in the reporting period, which was carried out on a public authority using a VPN that did not have two-factor authentication enabled.
However, this did not have any lasting impact on society. Significant threats with a broad impact on the commercial sector, national and local authorities represent 0.02% of all categorised threats, which is almost half the level of Q1, but 75% more than in Q2 last year. Meanwhile, significant threats with a medium impact account for 0.65% of all categorised threats: the number of compromised IP addresses is 11% more than in Q1 and 16% more than in Q2 last year.

Compromised devices, malicious code and intrusion attempts had the highest increase in activity of all threat types in Q2 2024. Intrusion attempts continue to move upwards, reaching their highest level in two years, with a 56% increase since the beginning of the year and more than a 2-fold increase compared to Q2 last year. From a geopolitical perspective, this is due to Russian-backed cyber attacks and efforts to compromise critical ICT infrastructure in NATO and EU Member States, which have been steadfast in their support for the Ukrainian people in their fight against Russia.

Cyber attackers supported by hostile states, including Russia, have used a variety of intrusion techniques to gain access to critical government and ICT infrastructure resources: authentication spoofing, exploiting publicly known vulnerabilities, compromising websites, compromising VPN and email gateways, phishing and targeted malware delivery via email. Such trends point to the need to step up security measures and educate the public about potential cyber threats.

Furthermore, it confirms the need for national monitoring of compliance with minimum cybersecurity requirements, as well as readily available effective cybersecurity services and ICT security telemetry processing that can support public sector technical and human resources against the growing cyber threats in a qualitative manner and in line with current challenges. For more information on the range of free services provided by CERT.LV, please visit: https://www.cert.lv/pakalpojumi.

Fraud is on the rise: in Q2 2024, the number of compromised unique IP addresses registered by CERT.LV under the threat "Fraud" increased by 45% compared to Q1 and by 70% compared to Q2 last year; at least €1 million is defrauded every month. The 3 most common types of fraud are phishing, phishing and spear phishing. Most commonly, mass text messages and emails are sent on behalf of various public authorities, courier services and financial institutions with fake links, embedded QR codes or malicious attachments disguised as invoices. By keeping up to date with the latest developments, fraudsters become more active and use them, in particular the timing of income tax returns, to scam money. Hoax calls and compromised business correspondence have become a serious problem affecting many businesses and citizens. Carelessness and poor cyber hygiene increase the risks of fraud.

Availability of service: Waves of denial of service or DDoS attacks, including cyber-attacks targeting public authorities and companies in specific sectors by Russia and its proxy hacktivists, continued but were successfully repelled, much of it automatically. Compared to Q2 2023, the number of DDoS attacks has almost halved. This is no coincidence.
Latvia knows how to defend itself, making itself a difficult and uninteresting target for such cyber-attacks.

Vulnerabilities and vulnerable systems: This is an ongoing risk, affected by newly discovered critical vulnerabilities, misconfiguration of IT systems and supply chain attacks. The vast majority of cyber attacks are still carried out using publicly known vulnerabilities, so early identification and patching of configuration weaknesses can significantly improve the cybersecurity situation.

Threat hunting operations: more than 140 000 installations analysed by the end of the reporting period 31 organisations - Latvia is a leader in organising and conducting threat hunting operations in the European Union (EU). In 25% or 8 organisations, the presence of foreign intruders (FIDs) was identified with high confidence, the identified attacker was eliminated, and other significant threats were detected that the target organisations were able to address through data-driven decisions. At the end of the reporting period, CERT.LV concluded an extended presence threat hunting operation with representatives of the Canadian Forces Cyber Command, the Canadian Cyber Security Centre and the Latvian Armed Forces. The extended presence reinforced and complemented the ongoing threat hunt. Several allied countries visited the ongoing Enhanced Presence operation to learn from the successful cooperation between Latvia and Canada, and possibly adopt good practices to implement in their own areas of responsibility.

Security tests and assessments: CERT.LV worked in close cooperation with the Central Electoral Commission, the State Chancellery and other institutions involved in the electoral process to perform penetration tests on all systems involved in the European Parliament (EP) elections. During the reporting period, no incidents directly related to electoral systems or electoral security were observed in Latvia.

DNS firewall effectiveness: In Q2, the number of requests processed by the DNS firewall service was more than 1 million, protecting users from malicious websites. Every threat indicator detected goes into a centralised active protection infrastructure to protect all Latvian citizens and organisations using the free protection provided by CERT.LV and NIC.LV.

Sensor network effectiveness: the ABS detects on average 6 000 high-priority incidents per month in national, local and ICT critical infrastructure institutions. This increase was mainly due to the very large scale and scope of phishing campaigns on behalf of SRS and Latvijas Pasts, respectively, breaking all previous records during the reporting period.

Coordinated Vulnerability Disclosure (CVD) platform: Continuing the development of the CVD platform, Q2 was particularly productive: the number of Security Researchers increased by 57%, the number of vulnerabilities logged on specific institutional applications increased fivefold, and the number of reports of vulnerabilities logged on the CERT.LV client increased threefold.

Training and educational events: In the reporting period, CERT.LV educated 10 742 participants on ICT security through 52 educational events, improving the knowledge and skills of both individual users and organisations to ensure the security of their data and systems.

By fulfilling its mission, CERT.LV continues to promote cybersecurity and be a trusted opinion leader in Latvian cyberspace.