The digital newspaper Neatkarīgā and the NRA portal last weekend experienced the largest cyber-attack in the history of the portal. The aim of the attack was to disrupt the operations of Neatkarīgā and nra.lv in order to prevent people from reading the content of the newspaper and the portal.
In the early hours of last Friday, nra.lv, which is read daily by more than 100,000 people from Latvia and other countries, was hit by a distributed denial of service, or DDoS, attack. DDoS attacks are aimed at making resources and the services they provide unavailable. If this was a long-term goal for the cybercriminals or the ones who ordered these attacks, they failed to achieve it with nra.lv. Indeed, access to the portal was interrupted for several hours. But after repelling the series of attacks, access to nra.lv was successfully restored. The content has not been affected.
DDoS attacks were also launched in recent weeks against ziedot.lv, inbox.lv, national news agency LETA, la.lv, tvnet.lv, draugiem.lv group companies draugiem.lv and ukrainascilvekiem.lv and others. In all these cases, the cybercriminals or the ones who ordered these attacks failed to stop access to these sites for long. In none of these cases was user data or content affected.
The portal nra.lv has already written that on May 12, a call for cyber-attacks against Latvia was circulated on various websites in Russia. Baiba Bļodniece, Parliamentary Secretary at the Ministry of Defense, told TV3 at the time that cyber-attacks on Latvian websites had intensified immediately after Russia's invasion of Ukraine, but since the events of May 9 and 10, the attacks have become even more intense.
Baiba Kaškina, head of Cert.lv, told the TV channel that Latvian authorities had been targeted by the Killnet hacker group. The attacks against Latvian institutions are mostly denial of service (DDoS) attacks, which are quite simple and cheap, but because of their simplicity, they can be long-lasting.
On May 16, just after midnight, inbox.lv also experienced the biggest hacking attack in its history. Andris Griķis, Chairman of the Board, explained that it was a distributed denial of service attack, more commonly known as DDoS, where a single target is attacked with fake requests from multiple sources, usually controlled by a single attacker, thus achieving greater efficiency. Inbox.lv successfully recovered and no user data or content was affected.
On May 19, at around 8 am, cybercriminals attacked draugiem.lv and ukrainascilvekiem.lv, temporarily paralysing their websites. Draugiem.lv also successfully recovered and no user data or content was affected.
Tet confirms that the number of denial of service attacks in Latvia has increased dramatically in recent weeks, including against public institutions. These attacks send so many requests to the website of the criminals' choice that they overload publicly accessible websites and bring them to a halt.
Even before the Russian invasion of Ukraine, Tet experts had noticed suspicious activity on the core network, but after the outbreak of war, there was a lull for some time. Now Latvia is once again the focus of attackers. "In the first month of the war, we even started to wonder why the systems were not showing security alerts. It was because we were not an important target for a while. But since May 9 the situation has changed radically - Latvia is back in focus, DDoS is back, and both the public sector and business are experiencing it," said Uldis Lībietis, IT Security Manager at Tet, during a discussion organized by the IT company Tet.
"Since May 9, Latvian cyberspace has been targeted by Russian aggressors who have carried out DDoS attacks against public institutions, as well as companies and organizations in various sectors. As far as the protection of Latvia's critical systems is concerned, the 'homework' has been done, and in cooperation with Internet service providers, adequate protection has been provided to prevent such attacks from being effective, but this should not deter further improvement of security measures, as the attackers continue to improve their methods," Varis Teivāns, Deputy Head of Cert.lv, commented on the situation during the discussion.
Attacks continue against other public institutions and corporations, medical service providers and telecommunications companies. "We see that attackers are trying different methods and looking for opportunities to exploit weaknesses in our defenses," said Lībietis.
In recent weeks, Latvian cyberspace has also witnessed cyber-attackers' activities unrelated to the war in Ukraine, aimed at defrauding citizens of their finances by using Google's advertising service as an attack tool, Līga Besere, a representative of Cert.lv, told LETA news agency. She said that the attackers purchase Google ads, which contain text and links that mimic the websites of popular Latvian banks, but when the fraudulent link is opened, visitors are taken to a fake website that visually resembles the real bank's website, the difference being in the website address, which is visible in the address bar at the top of the browser.
Paid advertisements appear as the first results at the top of the Google search engine list, and if you try to access online banking by typing the name of the bank you are looking for into Google search, you risk being taken to a fraudulent page.
For security reasons, Cert.lv encourages you to manually enter the bank's website address in your browser and save it in your browser's bookmarks list for re-use, and to pay attention when searching whether the search result is preceded by "Advertisement" or "Ad", which means that someone has paid for the address to be displayed.
Besere noted that she had received information about several victims who had lost money by entering their bank login details on fraudulent websites, including imitations of the Luminor Bank website, but that fraudsters may also be using fake sites imitating other banks.