Two Swiss federal agencies have acknowledged using software from a Moscow-registered company, which could present cybersecurity risks.
This was discovered during an investigation by the Italian service of the Swiss public broadcaster RSI.
The software in question is from ElcomSoft, a company that specializes in password recovery and decryption software for mobile phones and computers. Its website states that it is based in Prague.
In fact, the company’s headquarters are located in Moscow. After Russia began the full-scale war in Ukraine, ElcomSoft removed the Russian address from its website, according to a search in the Internet archive.
RSI found evidence that ElcomSoft continues to operate in Moscow. Employees, programmers, and even the CEO associated with the company, whom the broadcaster was able to find on LinkedIn, are residents of Russia.
Among ElcomSoft’s clients are the Federal Police Department (Polizia Federale) and the Swiss Federal Office of Arms (ArmaSuisse), which deals with military procurement.
Armasuisse confirmed in response to RSI’s request that it had “purchased software from this manufacturer for testing purposes,” but did not specify what kind of testing or how the product was used.
“Software that is tantamount to a weapon”
For Sebastien Fanti, a former data protection delegate in Canton Valais and expert in these technologies, the use of such software raises serious questions for national cybersecurity.
“This is a Russian company that deals with the development of forensic products for surveillance. It is a company that is therefore subject to Russian law, so potentially the authorities and intelligence services in Moscow can have access to the results of investigations that are carried out using this software,” he explained to RSI.
So, Fanti concludes, “one must choose one’s partners very carefully because one cannot take risks. Trusted partners operating in a country that guarantees respect for the law and democratic rules should take precedence. This is not the case with Russia.” According to the expert, “this surveillance software is comparable to a weapon.” And “it should be treated as such.”
The broadcaster also found out that the Swiss Federal Police “purchased licenses for four products from ElcomSoft in 2024” that it used without an internet connection. They assured me that they had already found analogies with the Russian company.
Even when used offline, the use of Russian programs puts federal authorities’ cybersecurity at risk, according to experts RSI interviewed.
In recent years, the number of cyberattacks in Switzerland has increased, including on local authorities, online medical offices, the media, and large financial companies. Last summer, on the darknet, hackers published data from the Federal Police Office and the Federal Office of Customs and Border Security.