Sistemi Informativi, an IBM Italy subsidiary managing IT infrastructure for Italian public agencies and major private companies was breached by the Chinese-linked APT group Salt Typhoon in late April 2026. The attackers maintained silent access for approximately two weeks before IBM detected and contained the incident, according to Italian media reports.
The breach targeted a company that operates at the core of Italy’s digital infrastructure. Sistemi Informativi provides IT services to national institutions including INPS and INAIL, as well as major firms across finance, telecommunications and energy sectors. IBM confirmed the incident to Italian media, stating systems have been stabilised but offering no details on scope or data accessed.
This is supply chain espionage on a national scale, one compromised integrator potentially exposing multiple government databases through a single entry point.
Two Weeks of Undetected Access
Intelligence sources suggest the attackers gained access to Sistemi Informativi’s systems in early April 2026 and remained undetected until late in the month, according to La Repubblica’s investigation. This extended dwell time is characteristic of Salt Typhoon operations which prioritise intelligence gathering over disruption.
The group deployed no ransomware, issued no public statements and made no extortion demands. Their objective was data extraction, not destruction. During those two weeks, they could have mapped Italy’s digital infrastructure connections, accessed government databases and exfiltrated sensitive information without triggering security alerts.
Sistemi Informativi’s website remained unreachable for hours during the incident response suggesting the company took systems offline to contain the breach rather than maintaining operations during investigation.
Salt Typhoon’s European Expansion
This incident fits a documented pattern of Salt Typhoon activity across Europe throughout 2025 and 2026. Darktrace researchers observed the group exploiting Citrix NetScaler Gateway vulnerabilities to breach a European telecommunications provider in July 2025. The FBI confirmed in February 2026 that Salt Typhoon operations remain “active and ongoing” across more than 80 countries.
The group has compromised Canadian telecoms, targeted Norwegian infrastructure and breached all four national telecommunications providers in Singapore. Their operational scope now spans over 200 organisations globally, making it one of the most extensive state-sponsored espionage campaigns on record, according to FBI assessments.
Western intelligence agencies assess Salt Typhoon operates under China’s Ministry of State Security with support from Chinese technology contractors. The US Treasury sanctioned Sichuan Juxinhe Network Technology in January 2025 for direct involvement with the group.
Why Italian Public Administration Is Exposed
The Sistemi Informativi breach exposes a structural vulnerability in how Italy manages its digital infrastructure. Critical government systems depend on third-party IT providers like Sistemi Informativi which creates single points of failure that can expose multiple agencies simultaneously.
According to William Nonnis, a digital technology analyst at the Italian Prime Minister’s office, most central government IT systems are actually managed by Microsoft rather than IBM subsidiaries. The real risk lies with local administrations and specific agencies that do rely on Sistemi Informativi’s services.
The incident demonstrates that targeting IT service providers remains more efficient than attacking individual government agencies. One successful breach can provide access to dozens of client systems simultaneously which explains why Salt Typhoon continues to focus on infrastructure providers rather than end targets.
References
- Salt Typhoon breach IBM subsidiary in Italy
- Salt Typhoon Suspected in Breach of IBM Italy Subsidiary
- Chinese-linked Salt Typhoon suspected in Italy’s Sistemi Informativi breach
- Salt Typhoon threat briefing
- Salt Typhoon intrusion analysis
This post is also available in:
Svenska
Related News
Dutch Police Dismantle 17 Million Device Botnet Tied to ASOCKS Proxy Service
Dutch authorities have dismantled a botnet that had recruited 17 million devices into criminal infrastructure without their owners' knowledge. The operation targeted ASOCKS, a residential…
June 1, 2026 Russian Intelligence Is Targeting Swedish Defense Industry to Beat Sanctions
Russia's intelligence services are running a coordinated campaign to acquire Western technology through fake companies, cyberattacks, and recruited intermediaries, and Sweden's defence industry is explicitly…
June 1, 2026 
Daemon Tools Hackers Used Valid Certificates to Hide Backdoor for Month
Chinese-speaking attackers compromised Daemon Tools software installers and went undetected for nearly a month. The supply chain attack began on April 8, 2026, with trojanized…
May 7, 2026 