IBM Italy Subsidiary Breached by Salt Typhoon, Intelligence Links Attack to Chinese Cyber Espionage

Context In late April 2026, La Repubblica reported that Sistemi Informativi, the IBM‑owned IT integrator managing infrastructure for Italian public agencies and key industries, suffered a cybersecurity incident. IBM’s statement confirmed the breach had been identified and contained, noting activation of internal and external response teams. The subsidiary’s website was temporarily offline during containment.

Key Facts Intelligence sources cited by La Repubblica link the attack to Salt Typhoon, a China‑associated APT active since at least 2019. Since early 2025, the group has breached Viasat, Canadian telecom firms, the U.S. Army National Guard, and Dutch government networks, using supply‑chain weaknesses and zero‑day exploits in Citrix and Cisco platforms. Salt Typhoon’s typical tactics include prolonged data exfiltration, silent observation, and potential command‑and‑control deployment on compromised infrastructure.

What It Means The breach underscores the growing risk to third‑party IT providers that support national critical infrastructure. If Salt Typhoon gained persistent access, it could map connections across Italian government databases and prepare for larger‑scale operations. Organizations relying on similar integrators should review third‑party access controls and monitor for signs of supply‑chain compromise.

Mitigations / What Defenders Should Do - Apply the latest security patches for Citrix ADC and Gateway (CVE‑2023‑XXXX series) and Cisco ASA/Firepower devices as advised by vendor advisories. - Enforce network segmentation to isolate critical IT management systems from corporate and public‑facing networks. - Deploy detection rules for MITRE ATT&CK techniques T1078 (Valid Accounts), T1190 (Exploit Public‑Facing Application), and T1041 (Exfiltration Over Command‑and‑Control Channel). - Review and harden privileged account usage, implement multi‑factor authentication, and monitor for anomalous lateral movement. - Conduct regular threat‑hunting exercises focused on indicators of compromise associated with Salt Typhoon, such as specific malware hashes and C2 domains reported by CISA and ENISA.

Watch for further disclosures from IBM on the exact data accessed and any guidance from Italian cybersecurity authorities on securing third‑party IT integrators.