A Spanish company that markets a password management tool to government agencies and research institutions across the European Union has maintained technological and personnel links to Russia, with its software certified by a Russian state body responsible for export control and cybersecurity, according to an investigation published by Le Monde.
Passwork Europe S.L., which presents itself as a European developer of password management software, shares a common code base, synchronized updates and identical documentation with the Russian company Passwork LLC, the investigation found. Updates to the European version are distributed through a company registered in the United Arab Emirates that is controlled by one of the Russian co-founders.
Passwork LLC obtained certification from Russia’s Federal Service for Technical and Export Control (FSTEC), a body subordinate to the Russian defense ministry. The certification process involves a detailed analysis of the software’s source code to identify vulnerabilities and undeclared capabilities, effectively giving Russian state authorities comprehensive knowledge of the product’s architecture.
Shared code base, synchronized releases
Cybersecurity experts cited in the investigation said such audits provide deep insight into the software’s design, creating a potential risk for European users if any identified vulnerabilities or intentionally embedded backdoors are exploited. The shared origin of the European and Russian versions means that any weaknesses uncovered by Russian authorities could be leveraged against European clients.
The supply chain for updates to Passwork Europe’s software mirrors a known vector for cyberattacks. The investigation noted that similar update channels were used in the SolarWinds attack, where malicious code was distributed through legitimate software updates. The synchronization of releases between the Russian and European versions, including version 7.6, confirms a unified development process, according to the report.
Most European clients, including government institutions in Ireland and other organizations, were not informed about the product’s Russian origins. The lack of disclosure undermines trust in the provider of software designed to secure access to government systems and sensitive data, the investigation found.
The European clients that chose Passwork Europe S.L. because of its purported European origin now face the need for urgent security audits, alternative solutions and explanations to stakeholders, leading to financial costs and reputational damage, the report said.
Russia has systematically deployed cyberattacks against critical infrastructure, government agencies and research organizations in EU countries, using hacking groups to conduct espionage and disrupt operations. The presence of software with Russian ties in the access chains of European state networks poses what the investigation described as an unacceptable risk for data leakage, metadata exposure and targeted attacks on specific organizations.