CERT.LV activity review Q1 2026
Latvian cyberspace experienced a full spectrum of cyber-attacks; quantitatively, the largest categories were fraud and malicious code. Meanwhile, distributed denial-of-service (DDoS) attacks against Latvian state and local government institutions and key service providers have become a constant operational risk, serving as a continuous stress test of capacity and resilience.
In Q1 2026, the cybersecurity threat level in Latvia remains high, requiring continued targeted measures to mitigate risks and strengthen resilience. Since Russia’s full-scale invasion of Ukraine in 2022, the number of registered cyber incidents in Latvian cyberspace has increased sixfold, while the number of identified compromised devices has increased eightfold.
The full version of the report is available here: PDF
Key trends and threats
A total of 846 cyber incidents were processed manually – a decrease of 8% compared to the previous quarter, while still representing the second-highest figure recorded to date.
Identified compromised devices reached 757 286, the highest figure recorded to date. The majority of these are configuration weaknesses, highlighting vulnerabilities in system and network security, primarily caused by human factors and insufficient security standards. At the same time, this reflects not only an actual increase in threats but also improved organisational cybersecurity capabilities in terms of visibility at the endpoint level, enabled by the implementation of CERT.LV’s Security Operations Centre (SOC) service and expanded compliance with national regulation. This enables the earlier detection, analysis, and mitigation of cyber risks, and systematically strengthens overall resilience.
Most observed cyber-attacks did not result in significant or long-lasting consequences. This is largely due to preventive cybersecurity measures and the overall resilience of Latvian cyberspace.
CERT.LV’s DNS firewall blocked access to malicious websites more than 2.5 million times – this is 139% more than in the previous quarter and 416% more than in the same period last year. The decrease in the number of cyber incidents is also explained by the development of threat detection mechanisms. By continuing to develop automated detection capabilities, CERT.LV proactively identified and blocked 266 fraudulent campaigns, including preventing several near-incidents.
Dominant threats included phishing, information-stealing malware, fake software updates, and malicious browser extensions that bypass traditional protection mechanisms. The main risks were related to credential theft and unauthorised access.
Attacks are becoming increasingly automated and based on social engineering rather than purely technical vulnerabilities – further amplified by the growing capabilities of artificial intelligence, which accelerates fraud, intrusions, and automated attacks. The greatest challenge is not a single isolated threat, but the simultaneous occurrence of multiple risks.
A significant portion of cyber incidents were financially motivated. The activities of state-sponsored groups continue with varying intensity, including in relation to the geopolitical context. Russia continues to be the primary security threat, given Latvia’s support for Ukraine in the war against Russian aggression.
Serious concern remains regarding threats from hostile states aiming to gain control over critical infrastructure systems and carry out disruptive actions that could affect or even halt essential services. To mitigate such risks and make Latvia a more difficult target, CERT.LV continues to develop operational technology activities, ensuring broader visibility, threat identification, security testing, and coordinated incident response.
The increasing intensity of attacks, more innovative attack methods, and geopolitically motivated incidents clearly demonstrate the critical importance of cybersecurity. CERT.LV services, including SOC monitoring, threat hunting, and regular security testing, significantly strengthen Latvia’s cyber resilience. At the same time, by providing regular training and strengthening user knowledge in cybersecurity, CERT.LV experts educated 13 309 participants across 65 events during the reporting period.
As observed trends continue, priority should be given to strengthening endpoint security, resource capacity, user training, and supply chain control, while continuously improving response capabilities and operational continuity in line with regulatory requirements.
