In late April 2026, Sistemi Informativi, an Italian IT infrastructure provider wholly owned by IBM Italy, was hit by a cybersecurity incident that Italian investigative reporting attributes to Salt Typhoon, the China-linked espionage group. IBM has confirmed the incident and containment efforts but has not disclosed the scope. The company manages IT infrastructure for Italian public agencies and major private organizations, making it a high-value upstream target.

What Happened

IBM issued an official statement acknowledging that it identified and contained a cybersecurity incident at Sistemi Informativi, activating incident response protocols with internal and external specialists. Systems are reported as stable and services restored, though the company website was offline for several hours during containment. Italian intelligence sources cited in investigative reporting have pointed to Salt Typhoon as the likely actor. Attribution remains unconfirmed pending forensic investigation. If verified, the incident would rank among the most significant attacks on Italy's public digital infrastructure in recent years.

What Was Taken

IBM has not publicly disclosed the volume, type, or sensitivity of any data accessed or exfiltrated. Given Sistemi Informativi's role managing infrastructure for public agencies and key private sector organizations, the potential exposure spans government administrative systems, citizen-facing services, and downstream private sector workloads. Salt Typhoon's documented playbook centers on prolonged silent collection rather than smash-and-grab theft, suggesting any exfiltration may have been targeted toward sensitive communications, credentials, network topology, and persistent footholds suitable for follow-on operations. The full extent of the breach has not been disclosed.

Why It Matters

The incident underscores the systemic risk of concentrated IT integrators: a single compromised provider can simultaneously expose dozens of downstream public and private organizations. Salt Typhoon's selection of an IBM subsidiary embedded in Italian state infrastructure aligns with a broader pattern of Chinese state-sponsored targeting of European government networks, telecoms, and managed service providers. For European security leaders, this is a clear signal that strategic third parties, particularly those holding privileged access into government environments, are now front-line targets. Trust boundaries between integrator and client are increasingly being weaponized as initial access vectors.

The Attack Technique

Specific intrusion details for the Sistemi Informativi breach have not been published. Salt Typhoon, active since at least 2019 and significantly escalated over the past two years, is documented as favoring supply chain vulnerabilities and zero-day exploits over social engineering. Prior confirmed intrusions include European telecom operators via Citrix and Cisco vulnerabilities, Viasat, Canadian telecom firms, the US Army National Guard, and Dutch government networks. The group's tradecraft emphasizes prolonged data exfiltration, silent observation, and pre-positioning for command execution inside compromised infrastructure, behaviors consistent with strategic espionage rather than disruption.

What Organizations Should Do

1. Audit third-party IT integrators and managed service providers with privileged access into your environment, with particular focus on credentials, jump hosts, and remote management tooling.
2. Patch and monitor edge appliances aggressively, especially Citrix and Cisco devices that have been Salt Typhoon's repeated entry points across prior campaigns.
3. Deploy network monitoring tuned to detect long-dwell, low-volume exfiltration patterns rather than only high-volume data theft signatures.
4. Segment provider access so that compromise of one integrator does not yield lateral movement into core government or enterprise environments.
5. Require incident notification clauses and joint response playbooks in contracts with infrastructure providers, including timelines for IOC sharing.
6. Hunt proactively for Salt Typhoon TTPs and known IOCs across telecoms, government networks, and managed service environments, assuming pre-positioning may already exist.

Sources: Salt Typhoon Suspected in Breach of IBM Italy Subsidiary Managing Public Infrastructure