Saturday, July 18, 2026

Spanish password manager sold to EU governments kept undisclosed Russian ties, investigation finds

July 18, 2026
1 min read
Spanish password manager sold to EU governments kept undisclosed Russian ties, investigation finds
Spanish password manager sold to EU governments kept undisclosed Russian ties, investigation finds

A Spanish company that markets a password management tool to government agencies and research institutions across the European Union has maintained technological and personnel links to Russia, with its software certified by a Russian state body responsible for export control and cybersecurity, according to an investigation published by Le Monde.

Passwork Europe S.L., which presents itself as a European developer of password management software, shares a common code base, synchronized updates and identical documentation with the Russian company Passwork LLC, the investigation found. Updates to the European version are distributed through a company registered in the United Arab Emirates that is controlled by one of the Russian co-founders.

Passwork LLC obtained certification from Russia’s Federal Service for Technical and Export Control (FSTEC), a body subordinate to the Russian defense ministry. The certification process involves a detailed analysis of the software’s source code to identify vulnerabilities and undeclared capabilities, effectively giving Russian state authorities comprehensive knowledge of the product’s architecture.

Shared code base, synchronized releases

Cybersecurity experts cited in the investigation said such audits provide deep insight into the software’s design, creating a potential risk for European users if any identified vulnerabilities or intentionally embedded backdoors are exploited. The shared origin of the European and Russian versions means that any weaknesses uncovered by Russian authorities could be leveraged against European clients.

The supply chain for updates to Passwork Europe’s software mirrors a known vector for cyberattacks. The investigation noted that similar update channels were used in the SolarWinds attack, where malicious code was distributed through legitimate software updates. The synchronization of releases between the Russian and European versions, including version 7.6, confirms a unified development process, according to the report.

Most European clients, including government institutions in Ireland and other organizations, were not informed about the product’s Russian origins. The lack of disclosure undermines trust in the provider of software designed to secure access to government systems and sensitive data, the investigation found.

The European clients that chose Passwork Europe S.L. because of its purported European origin now face the need for urgent security audits, alternative solutions and explanations to stakeholders, leading to financial costs and reputational damage, the report said.

Russia has systematically deployed cyberattacks against critical infrastructure, government agencies and research organizations in EU countries, using hacking groups to conduct espionage and disrupt operations. The presence of software with Russian ties in the access chains of European state networks poses what the investigation described as an unacceptable risk for data leakage, metadata exposure and targeted attacks on specific organizations.

Leave a Reply

Your email address will not be published.

Don't Miss

Russia accuses France, Ukraine of using terrorist groups in Africa in disinformation push

Russia accuses France, Ukraine of using terrorist groups in Africa in disinformation push

Russia’s Foreign Ministry has accused France and Ukraine of collaborating with terrorist
Spanish password manager with Russian ties supplies EU government agencies

Spanish password manager with Russian ties supplies EU government agencies

A Spanish company marketing a password manager to European government bodies and