CERT.LV activity review Q4 2025
The full version of the report is available here: PDF
The level of cyber threats in Latvia remains high, with a steady upward trend. Since Russia’s full-scale invasion of Ukraine, the number of cyber incidents in Latvian cyberspace has increased sixfold. In Q4 2025, a historically highest number of manually processed cyber incidents by CERT.LV was recorded (923), while the number of compromised devices increased eightfold, reaching a record high of 731,783 during the reporting period.
Attacks are both financially and politically motivated, and geopolitical factors continue to serve as a significant catalyst for threats. It is not just the intensity and complexity of attacks that are increasing: it is also the ability of attackers to adapt, which in turn encourages the development of appropriate tech security solutions, spurring demand for data-driven services and for better response capability in the public and private sectors.
Key trends and threats
- In Q4 2025, fraud was the dominant driver behind the growth of cyber incidents in Latvian cyberspace, creating significant and increasing financial risks for both individuals and organisations. Social engineering activities are intensifying through the effective use of artificial intelligence tools and automation, accelerating identity theft and account compromise.
- CERT.LV proactively monitors fraud campaigns, and highly values public involvement in identifying and reporting fraudulent websites. Reports received are aggregated, and malicious domain names are added to the DNS firewall. During the reporting period, the DNS firewall protected users from visiting malicious websites 1.03 million times, indicating a record-high intensity of fraud campaigns.
- At the same time, the increase in fraud-related damage nationwide, particularly outside bank payment channels, highlights a critical need to strengthen public digital literacy and resilience, as well as the role of electronic communications operators in preventing telephone fraud.
- The exploitation of vulnerabilities and the rapid growth in the number of compromised devices indicate the escalation of botnets, infected end-user devices and weak configurations, increasing the risk of further targeted attacks.
- Significant risks are posed by denial-of-service (DDoS) attacks targeting state institutions, information and communication technology (ICT for short) critical infrastructure and service providers. The primary objectives of cyber-threat activities by Russia-aligned hacktivists in Latvia are to reduce Latvia’s support for Ukraine. Incidents recorded to date have not caused significant or lasting impacts on essential public functions, indicating the effectiveness of existing protective measures.
- Cyber-espionage threats persist and may potentially be linked to Russia. Interest in Latvia’s ICT critical infrastructure from Chinese and Belarusian-backed cyber attackers has not diminished. Indirect risks are increasing, particularly those related to supply chains and the use of external service providers as the most common “backdoor” to target infrastructure.
- Although Latvia’s cybersecurity regulatory framework is becoming more structured overall, the automation of cyber threats and the increasing pace of cyber attacks increasingly challenge organisations’ ability to identify attacks in a timely manner. Faster and more effective detection of cyber threats is achieved by combining 24/7 monitoring of the cyberspace situation, oversight provided by the Security Operations Centre (SOC for short), proactive threat hunting, and targeted strengthening of the human factor and supply chain security.
