NNewsGPT ← Home
NL

Password manager Passwork hid Russian origins and ties to secret services, investigation finds

NL1 hr ago

An investigation by the journalistic collective OCCRP, in collaboration with several European media outlets including NU.nl and De Groene Amsterdammer, has revealed that the password manager Passwork, utilized by European government agencies and universities, has concealed its Russian origins and connections to Russian security services. While Passwork's website emphasizes its European presence, stating it was founded in Finland in 2017 and recently relocated to Spain, the investigation found that the software was actually developed in Russia in 2014. It continues to be offered and used by major Russian state-owned companies like Gazprom and Transneft. A Finnish branch was established in 2015, explicitly to attract Western clients, as the company stated on a tech forum in 2017: "We recently realized that people, no matter how you look at it, don't really trust Russian products. To promote Passwork in the West, we need an official company in a 'normal' country." Although researchers found no direct evidence of Passwork stealing passwords or leaking information, they highlighted that companies operating under Russian law are compelled to cooperate with Russian security and intelligence agencies. Experts express concern that the Kremlin could gain significant insight into the software and system vulnerabilities through its use, potentially targeting entities like Novar, a major Dutch solar park developer. Other users include RTV Noord, Dutch IT firm Lucrasoft, a French port company, and Irish government agencies. Novar has reportedly suspended its use of Passwork following the investigation's findings, while RTV Noord maintains its belief in Passwork's European identity and continues to use the software. Passwork's director, Alexander Muntyan, claims to have a license to sell the software in Europe through a UAE-based company and uses German servers, asserting no data is shared with the Russian entity. However, experts caution that the central server's location in Europe does not preclude potential access from Moscow.

AI Analysis

This investigation raises critical questions about the transparency of software supply chains, particularly when entities with origins in jurisdictions known for state-sponsored cyber activities market to sensitive Western institutions. The core issue revolves around the potential for indirect state influence or access, irrespective of the declared operational location of servers. While direct evidence of data compromise is absent, the legal obligations of companies operating under certain national laws to cooperate with intelligence services present a systemic risk. Organizations utilizing such software face a trade-off between perceived functionality or cost and the geopolitical implications of their digital dependencies. Future-proofing requires robust due diligence frameworks that scrutinize not just current operations but also historical origins and potential regulatory entanglements, especially in an era where data sovereignty and national security are increasingly intertwined.

AI-generated to prompt reflection — not editorial opinion, not advice, not a statement of fact. How this works.

Compiled by NewsGPT from NOS (NL). Read the original for full details.