What happened
A cybersecurity incident in late April 2026 targeted Sistemi Informativi, an Italian company wholly owned by IBM Italy that provides IT infrastructure management for public agencies and key private sector organizations. IBM confirmed the breach through an official statement, acknowledging it had identified and contained a cybersecurity incident and activated incident response protocols involving internal and external specialists. The company said systems are now stable and services have been restored but provided no details on the scope of the breach. The company’s website remained offline for several hours during containment.
Italian investigative reporting citing multiple intelligence sources has pointed to Salt Typhoon, a China-linked cyber espionage group, as the likely actor behind the incident. The attribution has not been officially confirmed, and forensic investigations are ongoing. If confirmed, the incident would represent one of the most significant attacks on Italy’s public digital infrastructure in recent years.
Salt Typhoon has been active since at least 2019 and has escalated operations significantly over the past two years. The group is documented as using supply chain vulnerabilities and zero-day exploits rather than social engineering, with confirmed intrusions into European telecom providers via Citrix and Cisco vulnerabilities, Viasat, Canadian telecom firms, the US Army National Guard, and Dutch government networks. Its operations are characterized by prolonged data exfiltration, silent observation, and positioning for potential command execution within compromised infrastructure.
Sistemi Informativi’s role as a centralized IT provider for Italian public institutions means a successful compromise could provide visibility into multiple government databases and the ability to map significant portions of Italy’s digital infrastructure through a single point of access.
Who is affected
Italian public agencies and private sector organizations whose IT infrastructure is managed by Sistemi Informativi face potential exposure depending on the scope of access the attackers obtained. The full extent of the breach has not been disclosed. The broader European critical infrastructure sector is the relevant threat audience given Salt Typhoon’s documented targeting pattern across the continent.
Why CISOs should care
The Sistemi Informativi incident is a textbook example of the IT service provider as a force multiplier for state-sponsored espionage. Compromising one infrastructure integrator can provide access to the systems, configurations, and data of every organization it manages, without requiring separate intrusions into each target. That leverage is precisely what makes IT providers attractive to groups like Salt Typhoon.
For security leaders in Europe managing or relying on third-party IT infrastructure providers, this incident reinforces that the security posture of those providers is inseparable from their own. Salt Typhoon’s preference for supply chain and zero-day exploitation rather than phishing also means that user awareness training provides limited protection against this threat model.
3 practical actions
- Assess the security posture of IT infrastructure providers with privileged access to your systems: The Sistemi Informativi breach illustrates how a single compromised integrator can expose multiple downstream organizations simultaneously. Review what access your IT service providers hold, what security standards they are contractually required to meet, and whether you have audit rights to verify compliance.
- Prioritize patching of Citrix and Cisco infrastructure given Salt Typhoon’s documented exploitation of these platforms: Salt Typhoon has used vulnerabilities in Citrix and Cisco systems to gain initial access in confirmed European operations. Confirm patch currency on these platforms and review whether any anomalous access patterns coincide with the late April 2026 timeframe of the Sistemi Informativi incident.
- Implement network monitoring that can detect prolonged, low-volume data exfiltration consistent with Salt Typhoon’s operational pattern: The group’s hallmark is silent, extended access rather than noisy intrusion. Detection engineering for this threat profile requires behavioral analytics that can identify slow data staging and exfiltration over time, not just signature-based detection of known malware.
Also in the news today:
- Ubuntu and Canonical Web Services Hit by DDoS Attack
- Microsoft Defender Mistakenly Flags DigiCert Root Certificates as Malware
- Threat Actors Use AI to Automate Zero-Day Discovery and Exploitation at Machine Speed
- Frost Bank Hit With Class-Action Lawsuits Over Data Breach Affecting More Than 100,000 Customers
- Sandhills Medical Foundation Ransomware Breach Draws Class Action Investigation Nearly a Year Later
- Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery
