Latvia’s cyberspace faces new challenges amid war in Ukraine

Russian cyberattacks may be a global threat, but Ukraine's allies have been especially at risk. Among them is Latvia, which was one of the first to declare Russia a "state sponsor of terrorism” and stopped issuing entry visas to Russian citizens in August.

Before Russia invaded Ukraine in late February, most cyberattacks targeting Latvian organizations were financially motivated, but now the country’s cybersecurity agencies have to deal with more serious threats — pro-Russian hacktivists and nation-state hackers targeting the government, critical infrastructure, and private businesses. 

Since the beginning of the war in Ukraine, the number of cyberattacks in Latvia has increased by more than 30%, Varis Teivans, the deputy manager of Latvia’s Computer Emergency Readiness Team (CERT), told The Record. 

What hackers are actually achieving, however, is less clear. Cyberattacks by pro-Kremlin hacktivist groups like Killnet usually achieve nothing more than publicity, although Teivans does admit the activity of state-backed hackers is “a cause for concern.” 

The Record visited Teivans at CERT's office in the Latvian capital of Riga this month to talk about the new challenges Russia’s war with Ukraine poses for Baltic cyberspace.

Hacktivists vs APT groups

The cyberattacks that attract the most media attention in Latvia are usually carried out by pro-Kremlin hacktivists, including Killnet and its affiliates (like XakNet and FuckNet), according to Teivans. 

They usually conduct distributed denial-of-service (DDoS) attacks, flooding websites with junk traffic to knock them offline, or post threatening messages on the main page of the websites, in what’s known as defacement attacks.

Most of these are successfully countered by Latvian cybersecurity specialists, and those that hit the targets have no lasting impact, according to Teivans.

For example, Killnet launched a DDoS attack on the website of the Latvian parliament in early August. They took the site down for several hours but it ultimately didn't disturb the work of policymakers.

Hacktivists often attack in response to specific events, according to Teivans — Latvia designated Russia a “state sponsor of terrorism” shortly before the DDoS attack on the parliament website.

In July, pro-Kremlin hacktivists attacked Latvian computer systems almost daily, outraged by the Latvian government's decision to demolish nearly 300 Soviet monuments.

"What they've achieved was to disrupt some of the public transport ticketing services,” and a charity that collects donations for people in need, Teivans said. “This is a very bad performance.”

According to Teivans, Russian hacktivists have a "poor understanding" of what they are targeting. Once, they attacked the website of a now-closed Latvian airport, and mistakenly hacked the Latvian agency responsible for parks and recreation, confusing it with the Ministry of the Interior.

“Russian hacktivists are a PR project, not talented hackers,” Teivans said. “Every time they claim to have hacked some of our websites and leaked information, it’s a lie, sometimes a very pathetic one.”

FuckNet, for example, once claimed to have hacked the website of President Egils Levits and stolen data, which, it turned out, was publicly-available procurement information. 

There are, however, more sophisticated cyber operations conducted by capable Russian hackers — the so-called advanced persistent threat (APT) groups. "These are the attacks we are most concerned about," Teivans said.

Threats to critical infrastructure

Among APT’s most common targets are state services, critical infrastructure facilities, and businesses that work with the government. “Private businesses are compromised to gain access to more secure government networks,” Teivans said.

The same hacker groups that have targeted Ukraine have tried to compromise Latvia's telecommunication and energy infrastructure, Teivans added, though he said he couldn’t disclose the names of the groups or the impact these attacks had due to security reasons.

In September, the Ukrainian government warned that Russia plans to increase the intensity of DDoS attacks on the critical infrastructure of Ukraine’s closest allies, including the Baltic countries.

Carefully-planned cyberattacks on the right targets could increase the effect of missile strikes on electrical supply facilities, according to Ukrainian intelligence. 

Teivans agreed that Russian hackers could intensify their attacks on Europe's energy sector and some critical infrastructure. In fact, they may have been preparing for these attacks for months.

“APT operations are not opportunistic,” Teivans said. “Nation-state hackers usually ‘sit’ in critical networks for a while, waiting for a perfect moment to attack.”

Countering old threats

Latvia was a common target for Russian hackers even before the start of the war in Ukraine, said Teivans, who has worked at CERT since its inception in 2007.

For example, Russian hackers repeatedly targeted Latvia during and after the October 2018 parliamentary elections. These attacks didn’t alter the election results but created distrust between Moscow and Riga.

Prior to those elections, pro-Russia hackers replaced the front page of the Facebook-like Latvian social media site Draugiem with a Russian flag and a message saying “Fellow Latvians, this concerns you. The Russian border has no limits!”

With the beginning of the war in Ukraine, Estonia and Lithuania were also increasingly attacked by Russian hackers.

Like its Baltic neighbors, Latvia was formerly part of the Soviet Union and still has a large Russian-speaking minority.  But its government actively supported Ukraine in the war against Russia, sending weapons, sheltering Ukrainian refugees and supporting sanctions against the Kremlin. Since extending that support, the number of cyberattacks on Latvia has increased significantly. 

To counter these threats, the country has two CERTs — one responsible for Latvia's cyberspace with a focus on government computer systems and critical infrastructure, and the other for the protection of military networks.

Both of them are subordinate to Latvia's Ministry of Defense, which Teivans says is a big advantage. "The MOD is committed to cybersecurity and heavily supports it legislatively and with funding," he said.

Although Latvia is preparing for Russian attacks, Teivans doesn’t think that they will be struck in the same way as Ukrainian targets.

“We are still at a stage where kinetic warfare is a priority for the attacking nation, while cyber is only a tool for threat actors to gain some economic and political advantage or a means to support kinetic operations,” he told The Record.