CERT.LV activity review Q3 2025

The full version of the report is available here: PDF

The cyber-threat level in Latvia remains consistently high, with an average of 500-700 incidents every quarter since 2022. Periods of low intensity are a thing of the past, and internet users are still exposed to constant risks.

In the third quarter of 2025, 671 cyber incidents were recorded, which is 5% less than in the second quarter of this year, but 2% more than in the third quarter of last year, and overall, an upward trajectory can be observed. The number of compromised devices identified by CERT.LV continues to grow rapidly, which is 111% more than in the second quarter of this year, and 36% more than in the third quarter of last year.

Key trends and threats
 

• The number of compromised devices continues to grow rapidly, indicating a new phase of cyber threats – an increase in IoT and botnet activity, malware, and automated vulnerability exploitation. This signals the need to strengthen vulnerability management and perform timely updates to smart devices.
   
• Critical vulnerabilities in Microsoft SharePoint and WinRAR were actively exploited – at least one compromise was detected in Latvia’s critical infrastructure (CI) sector. CI operators who have implemented and use CERT.SOC services are able to detect such threats much faster and eliminate them more effectively.
   
• Cyber threats originating in Russia remain high, especially against critical infrastructure and OT systems (energy, water, heating); DDoS attacks from the Russia-linked group NoName057(16) and botnets have been observed.
   
• Encrypting ransomware, which is becoming increasingly adept at circumventing defence mechanisms, continues to threaten organisations, with three cases registered by CERT.LV. Institutions need to strengthen their backup, recovery, and incident response capabilities.
   
• Supply-chain attack risks continue to rise, underscoring the need for more proactive security audits, stricter cybersecurity requirements in procurement, and ongoing reminders about the importance of timely software updates. The introduction of the new “minimum cybersecurity requirements” regulation is a positive step that will help raise the overall cybersecurity maturity across organisations.
   
• Social engineering and fraud campaigns are reaching new levels of intensity: paid Google ads are being used to spread fraudulent websites offering fake investment schemes; there has been an increase in SMS and email phishing campaigns impersonating government agencies (particularly CSDD, VID EDS, DPD) and well-known public figures. A new dimension of threat – the ClickFix mechanism, which uses CAPTCHA checks to get users to unknowingly activate harmful actions. 2FA, DNS firewalls, timely updates, and employee training reduce risks and the impact of incidents.

These trends confirm the need to continue strengthening Latvia’s preparedness for a wide range of threats by applying multi-layered cyber defence – DNS firewalls, support in resolving cyber incidents and Security Operations Centre (SOC) services, threat hunting and security testing, as well as user education and training provided by the CERT.LV team.