EvoEX
← All articlesCybersecurity, Servers

🚨 Security Above All: What We've Learned from the LVM Attack

07/07/20266 min read
🚨 Security Above All: What We've Learned from the LVM Attack

At EvoEx, we've been doing things differently for some time now. No line of code reaches our clients without a complete security audit, our servers have no external "doors" to knock on, and if someone tries anyway—the system catches it and blocks it in seconds, not after damage is done. Here's what that looks like in practice and why we've invested thousands of euros in it!

This year's Midsummer break brought something to Latvia's IT sector that's hard to forget—an attack on the IT infrastructure of Latvia's State Forests. The attack was discovered on June 22, 2026, but it later emerged that the hacker had actually infiltrated the system on June 11 and operated undetected for several days, only becoming active on the night of June 22-23. Responsibility for the attack was claimed by a ransomware group—the same type of attack that in recent years has increasingly targeted both public and private sector organizations. Some sources mention a specific ransom amount demanded by the attacker, but LVM has officially denied this, so we'll focus on what's confirmed: the company was forced to shut down its entire IT infrastructure, several public systems (LVM GEO, the hunting app Mednis) and internal services were unavailable for several days.

It reminded everyone working in this field of one simple but uncomfortable truth: if you only deal with security after something has already gone wrong, it's too late. In LVM's case, the attacker was able to operate in the system for several days because there were no tools to detect anomalies in real time—a situation the Prime Minister later highlighted as well. Configuration flaws and undetected vulnerabilities can remain hidden for extended periods until someone finds them—and unfortunately, that someone is often not the person it should be.

When we at EvoEx designed our infrastructure, we chose a different path. Rather than wait and react, we focus on preventing problems from happening in the first place.

Security Starts Before Code Reaches the Server

In our development process, no change reaches the production server without undergoing complete automated security checks. Every new piece of code is analyzed in real-time by specialized security tools based on globally recognized OWASP Top 10 principlesthe standard used to detect the most common and dangerous types of vulnerabilities.

If the tools detect even minor risk, the change is blocked. The system itself attempts to fix the problematic code section, re-analyzes it, and the process continues until the risk count is precisely zero. Only then can changes reach users.

The LVM case demonstrated that a system can seem to be running normally while an attacker has already been inside for days—and without the right tools, this can simply go unnoticed.

In our approach, this isn't a edge case but the primary scenario we've been designing against from day one: minimal access, isolated systems and continuous automatic auditing, rather than relying on someone to review everything once a year.

This notification reaches our team every time changes pass through the complete security audit and auto-remediation cycle before deployment.

Servers with Nothing to Lose from the Outside

One of the simplest but most often forgotten security principles—if the doors aren't open, they can't be broken into. Our servers run on Hetzner infrastructure, and we have completely closed external access ports that are traditionally used for remote server access.

Instead, the server itself, from the inside, checks an authorized code repository and, when everything is verified and secure, pulls updates. No one can "knock" from outside because the doors simply aren't there.

Additionally, websites implement strict security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy), which protect users from data interception, website cloning and other common attack types.

When Someone Tries Anyway...

Completely eliminating attack attempts is impossible—the internet is full of automated bots constantly scanning websites looking for weak spots. That's why we built our own system that detects these attempts and responds immediately.

If a brute-force attempt or suspicious scanning is detected, the attacker's IP address is immediately blocked at the firewall level. But that's not where the work ends—our custom analysis tool immediately begins investigating what happened: what were the requests, what was their pattern, what was the attacker trying to accomplish.

Resulta brief, clear report in English that immediately reaches our developer team's Discord channel.

Additionally, we're currently developing a so-called "page-call" or on-call alert systema solution that in the case of serious incidents automatically calls the responsible developer on their phone, regardless of the time of day, so that response doesn't depend on someone voluntarily checking the Discord channel. This way we not only stop the attempt but also know exactly what happened.

A real example from our system—a suspicious request is blocked immediately, and every hour an automated summary is generated of all attempts, their origins and likely intent

What This Means for the Client

By choosing EvoEx, a client doesn't just get a website or system—they get an infrastructure where security isn't an afterthought but the foundation.

Today, a ransomware attack is rarely just a technical problem—it's a business continuity risk. In the LVM case, both public and internal services were unavailable for several days, and a few days of downtime plus potential data breach could cost a company far more than an investment in prevention.

In practice, this means several specific things we do and recommend to clients as well:

  • Regular backups with a genuinely tested recovery process, not backups whose functionality has never been verified.

  • Access and permission management based on the principle of minimal necessary access, so one compromised access doesn't provide a path to everything.

  • Continuous monitoring and anomaly detection, rather than relying on an annual audit.

  • Segmented infrastructure, so a problem in one part of the system doesn't spread across the entire organization.

  • Bug fixes before deployment, not after something has already happened on the internet.

  • Background updates, without interruptions, so websites and portals continue running continuously.

Cybersecurity isn't a process you can "fix once and forget." It's ongoing work. And we believe—the less our clients have to worry about it, the better we're doing our job.

Why We're Telling You This

We didn't build all of this because someone asked us to. Over the past year, we've invested thousands of euros to build this system and continue developing it—time, tools, and our own custom software that today runs in the background, continuously, every single day.

It's not a one-time investment you can check off and forget—it's infrastructure we continue to invest in because we know attackers' methods evolve faster than most organizations can respond.

The LVM case showed that even large companies with resources can lack exactly this—a system that detects problems before they become a crisis.

This means that a client who chooses EvoEx doesn't have to worry whether their data and system are protected only as an afterthought. Security isn't an add-on service that can be added later—it's already built into every project we create.

If you'd like to know what your website or system's security looks like from the outside, get in touch with us—we'll evaluate it together and tell you honestly where the risks are and what to do about them.

Book your audit—EvoEx Audit from 390 EURO

EvoEX
Article prepared by
EvoEX
Drošības daļa

Ready to start your project?

Tell us about your idea — we'll email you a proposed time for a video call to discuss the details and prepare a quote.