Chinese-Linked APT Group Salt Typhoon Suspected in IBM Italy Subsidiary Breach
In late April 2026, Italian cybersecurity authorities detected a significant breach at Sistemi Informativi, an IBM Italy subsidiary that manages IT infrastructure for critical public and private institutions. The incident, first reported by La Repubblica, has raised alarms over the expanding reach of Chinese-linked cyber operations in Europe.
IBM confirmed the attack, stating it had "identified and contained a cybersecurity incident" and restored affected systems, though details on the breach’s scope remain undisclosed. The company’s website was temporarily taken offline during containment efforts.
Multiple intelligence sources suggest the China-associated advanced persistent threat (APT) group Salt Typhoon is behind the attack. If confirmed, this would mark one of the most ambitious cyber intrusions targeting Italy’s public infrastructure in recent years.
Active since at least 2019, Salt Typhoon has intensified its operations over the past two years, specializing in supply-chain attacks and zero-day exploits. The group is known for its technical precision, avoiding broad phishing campaigns in favor of infiltrating networks through vulnerabilities in widely used systems, such as Citrix and Cisco. Recent targets include Viasat, Canadian telecom firms, the U.S. Army National Guard, and Dutch government networks all characterized by prolonged data exfiltration and silent reconnaissance.
As a key IT provider for Italian institutions, Sistemi Informativi’s compromise could expose sensitive data and critical infrastructure connections, enabling attackers to map and potentially disrupt national digital systems. The breach underscores a growing vulnerability: third-party IT providers serving as high-value targets, where a single compromise can grant access to multiple government and private-sector networks.
The incident reflects broader trends in cyber warfare, where state-linked APTs increasingly exploit supply-chain weaknesses and AI-driven tactics to infiltrate critical infrastructure. For Italy and Europe, the attack highlights the need for stronger defenses and enhanced coordination between governments, industry, and intelligence agencies.
Sistemi Informativi, an IBM Company cybersecurity rating report: https://www.rankiteo.com/company/sistemi-informativi
"id": "SIS1777847095",
"linkid": "sistemi-informativi",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Critical public and private '
'institutions',
'industry': 'Information Technology, Public Sector '
'Services',
'location': 'Italy',
'name': 'Sistemi Informativi (IBM Italy subsidiary)',
'type': 'IT infrastructure provider'}],
'attack_vector': 'Vulnerabilities in widely used systems (e.g., Citrix, '
'Cisco), Zero-day exploits',
'data_breach': {'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive data, Critical '
'infrastructure connections'},
'date_detected': '2026-04',
'description': 'In late April 2026, Italian cybersecurity authorities '
'detected a significant breach at *Sistemi Informativi*, an '
'IBM Italy subsidiary that manages IT infrastructure for '
'critical public and private institutions. The incident, first '
'reported by *La Repubblica*, has raised alarms over the '
'expanding reach of Chinese-linked cyber operations in Europe. '
"IBM confirmed the attack, stating it had 'identified and "
"contained a cybersecurity incident' and restored affected "
'systems, though details on the breach’s scope remain '
'undisclosed. The company’s website was temporarily taken '
'offline during containment efforts.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to IBM '
'and Sistemi Informativi',
'data_compromised': 'Sensitive data, Critical infrastructure '
'connections',
'operational_impact': 'Temporary website takedown, System '
'restoration efforts',
'systems_affected': 'IT infrastructure of public and private '
'institutions'},
'initial_access_broker': {'entry_point': 'Vulnerabilities in widely used '
'systems (e.g., Citrix, Cisco)',
'high_value_targets': 'Critical public and private '
'institutions'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Third-party IT providers are high-value targets for '
'supply-chain attacks. A single compromise can grant '
'access to multiple government and private-sector '
'networks. Stronger defenses and enhanced coordination '
'between governments, industry, and intelligence agencies '
'are needed.',
'motivation': 'Espionage, Critical infrastructure mapping, Data exfiltration',
'post_incident_analysis': {'root_causes': 'Supply-chain weaknesses, Zero-day '
'exploits, Prolonged reconnaissance '
'by APT group'},
'recommendations': 'Strengthen supply-chain security, enhance monitoring of '
'critical infrastructure, improve coordination between '
'public and private sectors, and invest in AI-driven '
'cybersecurity defenses.',
'references': [{'source': 'La Repubblica'}],
'response': {'communication_strategy': 'Public confirmation of incident',
'containment_measures': 'System restoration, Temporary website '
'takedown',
'incident_response_plan_activated': 'Yes',
'recovery_measures': 'Systems restored'},
'threat_actor': 'Salt Typhoon (APT group, China-linked)',
'title': 'Chinese-Linked APT Group Salt Typhoon Suspected in IBM Italy '
'Subsidiary Breach',
'type': 'Supply-chain attack, Data exfiltration, Reconnaissance',
'vulnerability_exploited': 'Zero-day exploits, Supply-chain weaknesses'}