Saturday, July 18, 2026

Spanish password manager with Russian ties supplies EU government agencies

July 18, 2026
1 min read
Spanish password manager with Russian ties supplies EU government agencies
Spanish password manager with Russian ties supplies EU government agencies

A Spanish company marketing a password manager to European government bodies and research institutions maintains technological and personnel links with a Russian organization whose software underwent certification by Russian state security services, according to an investigation published Friday.

Passwork Europe S.L., based in Spain, presents itself as a European developer of enterprise password management software. Its products are used by public institutions in several European Union member states, including government agencies and universities. However, an examination by Le Monde found that the company shares a common code base, synchronized release cycles and identical documentation with Passwork LLC, a Russian entity based in Moscow.

The Russian version of the software received certification from the Federal Service for Technical and Export Control (FSTEC), an agency under the Russian Ministry of Defense. That process involved a detailed analysis of the source code to identify vulnerabilities and undeclared capabilities, effectively giving the Russian state a comprehensive understanding of the software’s architecture.

Shared architecture and update channel

Industry experts warned that because the European and Russian versions share a common origin, any vulnerabilities discovered during the Russian state audit – or deliberately introduced – could be exploited against European users. The risk is amplified by the fact that updates for Passwork Europe S.L. are distributed through an opaque company based in the United Arab Emirates, controlled by one of the Russian co-founders of Passwork LLC.

This update mechanism mirrors tactics used in supply chain attacks such as the SolarWinds breach, where malicious code was distributed through legitimate software updates. The synchronization of releases, including version 7.6, between the Russian and European editions confirms a unified development process, experts said.

Lack of disclosure to European clients

The investigation found that the majority of European clients, including Irish government institutions and other organizations handling sensitive data, were not informed about the software’s Russian origins. Passwork Europe S.L. had previously stated it was independent and had no affiliation with Russia.

Security analysts said the failure to fully disclose the relationship constitutes a significant breach of cybersecurity due diligence, given the elevated threat environment. Russian state-linked hacking groups have repeatedly targeted critical infrastructure, government networks and research institutions across the EU.

The use of software that retains technological, personnel and operational ties with Russian developers creates an unacceptable risk for European national security, experts said. Even the potential for Kremlin influence over the development or maintenance process must be treated as a factor compromising the cybersecurity of the European Union, they added.

European organizations that adopted Passwork Europe S.L. on the basis of its claimed European provenance now face a need for urgent security audits, replacement of the software and reputational damage.

Leave a Reply

Your email address will not be published.

Don't Miss

Russia accuses France, Ukraine of using terrorist groups in Africa in disinformation push

Russia accuses France, Ukraine of using terrorist groups in Africa in disinformation push

Russia’s Foreign Ministry has accused France and Ukraine of collaborating with terrorist
Spanish password manager sold to EU governments kept undisclosed Russian ties, investigation finds

Spanish password manager sold to EU governments kept undisclosed Russian ties, investigation finds

A Spanish company that markets a password management tool to government agencies