The Justice Department and FBI are using password-breaking software produced by a Russian technology firm set up by a cryptographer who attended a school linked to the KGB.
The U.S. government’s contracts and use of the Russian-origin password-cracking software produced by the Moscow-based company called Elcomsoft is raising security concerns among some U.S. officials and security experts.
The company was founded by Alexander Katalov, who stated in a 2001 online interview that he once "studied at the highest school of the KGB," the Soviet-era political police and intelligence service. He also said the FBI "on many occasions" purchased forensic software programs from Elcomsoft.
Password-breaking software was used by the FBI to access the locked iPhone of the Islamist terrorist Syed Farook, who carried out the Dec. 2 shooting in San Bernardino, Calif., that killed 14 people and wounded 22 others. News reports have said an Israeli security firm helped the bureau hack the iPhone 5s that was owned by a local government agency that had employed Farook.
Elcomsoft CEO Vladimir Katalov, Alexander’s younger brother, denied the company has ties to the KGB’s successor, the Federal Security Service. He stated in an email to the Washington Free Beacon that the company does business with both the FBI and FSB, as the Russian spy service is known.
"We only develop and sell the software, and do not cooperate with any intelligence or security service," Katalov said. "However, our software is being widely used by government, military, forensic and law enforcement organizations all over the world, from FSB to FBI."
Public records show the Justice Department, FBI, and Department of Homeland Security have purchased Elcomsoft software since at least 2012.
In August 2014 and in March 2015 the FBI signed contracts worth $1,495 and $2,542 respectively for Elcomsoft software with a Nevada company called Password Mining LLC, a U.S. subsidiary of Elcomsoft.
Password Mining’s officers include two officers of Elcomsoft, the Katalov brothers.
Justice Department spokesman Marc Raimondi and FBI spokesman Matthew Bertron declined to comment.
The FBI purchased what records describe as "Elcomsoft iOS Forensic Toolkit, Full Version," in 2014 and "Elcomsoft Blackberry Backup Explorer and Elcomsoft iOS Forensic Toolkit Renewal" a year later.
Earlier in September 2012, the Justice Department’s Criminal Division purchased the "Elcomsoft Password Bundle Forensic Edition" from a company called H-11 Digital Forensics Co. LLC, a Utah-based reseller of forensics software and hardware.
The Department of Homeland Security’s U.S. Customs and Border Protection also purchased Elcomsoft’s Password Recovery Suite in June 2015.
A DHS spokesman did not respond to emails seeking comment.
Michelle Van Cleave, former National Counterintelligence Executive, a senior counterintelligence official, said Russian intelligence frequently coopts businesses.
"Russia’s security services—in particular the FSB, the KGB’s successor—are the glue that binds Putin’s government to the oligarchs’ business operations worldwide," Van Cleave said.
"You have to assume that any successful Russian industry is tied into that complex—especially companies that specialize in cutting-edge cyber capabilities. It’s difficult to believe that their security services would let that kind of expertise be offered for sale without getting something in return."
Chris Farrell, director of research at the watchdog group Judicial Watch and a former Army counterintelligence officer, also warned about the use of Russian-origin software.
"The Justice Department’s decision to engage Russian technology firms, or their thinly-veiled U.S. subsidiaries, borders on reckless," Farrell said. "Many such business entities act as surrogates or co-optees of foreign intelligence services."
A U.S. official familiar with the company said the founders appear to have had a past relationship with the KGB and asked "why is DoJ having contracts with this company?"
Katalov confirmed that the company founder spent a year at the KGB university.
"Yes, Alexander has studied in this university, its current name is FSB Academy," he said, adding that it was "just a university" and that Alexander’s specialty was cryptography. He attended for a year and then quit to study at another university, he said.
"Since then, he had no relationship with any Russian government, security, or law enforcement services," he said.
Elcomsoft programs are "mostly used on the computers that are not even connected to the Internet, for security reasons, as a rule in the most organizations mentioned above," he said.
Katalov added that "even more important, it is in fact not really hard to detect whether the software opens some ports for incoming Internet connections, or send [may send] any data over the network etc."
Additionally, the company would provide source code for the software for security analysis, he said.
"And finally, did you ever think what is going to happen with our Elcomsoft reputation if any security vulnerabilities are found?" Katalov asked.
The Justice Department in 2001 charged Elcomsoft and one of its employees with violating the Digital Millennium Copyright Act for illegally selling software designed to circumvent copyright-protected e-books. Charges against the employee were dropped and the company was found not guilty of the charges in a 2002 trial in San Jose.
In February, DNI James Clapper told Congress that Russia is one of the leading threat actors in cyberspace.
"Russia is assuming a more assertive cyber posture based on its willingness to target critical infrastructure systems and conduct espionage operations even when detected and under increased public scrutiny," Clapper said.
"Russian cyber operations are likely to target U.S. interests to support several strategic objectives: intelligence gathering to support Russian decision making in the Ukraine and Syrian crises, influence operations to support military and political objectives, and continuing preparation of the cyber environment for future contingencies," he said.
Update Saturday, May 7, 6:30 P.M.: This post has been updated with further comment from Vladimir Katalov.