Threat Intelligence Report: The Sistemi Informativi Breach and the Vulnerability of Europe’s Digital Backbone

May 10, 2026

The cybersecurity landscape across Europe is experiencing a profound tactical shift. State-sponsored Advanced Persistent Threats (APTs) are increasingly moving away from noisy, direct attacks on government networks, choosing instead to target the private-sector managed service providers (MSPs) and IT integrators that maintain them. The late April 2026 breach of Sistemi Informativi—a major IT infrastructure manager wholly owned by IBM Italy—serves as a stark warning. By compromising a single trusted third party, adversary groups can potentially map out critical national infrastructure and establish long-term, silent access to highly sensitive government databases.

In late April 2026, Italian national security and digital infrastructure were placed on high alert following a major cyber incident targeting Sistemi Informativi. First reported by La Repubblica, the breach immediately triggered alarms due to the company’s central role in managing critical IT infrastructure for key public agencies and private institutions throughout Italy. In an official statement, IBM confirmed the breach, noting that it had "identified and contained a cybersecurity incident" and rapidly deployed internal and external incident response specialists to stabilize systems. While the company's public website remained offline for hours during the initial containment phase, subsequent forensic updates indicated that the blast radius was successfully isolated to Sistemi Informativi’s internal networks, preventing lateral movement into broader downstream government client databases.

Although forensic investigations are ongoing, multiple intelligence sources strongly point to Salt Typhoon (also tracked by researchers as Earth Estries or GhostEmperor), a highly sophisticated APT group linked to Chinese state interests that has been active since at least 2019. Salt Typhoon has built a reputation for immense technical precision and operational discipline, eschewing common social engineering and mass phishing tactics in favor of exploiting supply-chain vulnerabilities and zero-day flaws. They frequently leverage edge infrastructure vulnerabilities—such as known flaws in Citrix NetScaler and Cisco systems—to infiltrate networks silently. Once inside, they utilize "living-off-the-land" techniques, using legitimate administrative tools to blend into normal network traffic, deploy custom modular malware, and establish prolonged data exfiltration pipelines.

This incident is not an isolated event but part of a broader, aggressive campaign by Salt Typhoon and similar state-aligned actors targeting European telecommunications and public infrastructure. Earlier in 2026, British intelligence tracked a long-running, stealthy intrusion by Salt Typhoon into core routing and telecommunications networks across the United Kingdom. Similarly, a late 2025 operation saw the group bypass multi-factor authentication via a Citrix gateway to compromise a major European telecom provider, leveraging DLL side-loading to conceal their payloads. In 2025, the group also successfully breached Dutch government networks, maintaining a low-and-slow presence to map out digital dependencies. Beyond Salt Typhoon, Europe’s broader IT supply chain has faced relentless pressure; state-sponsored campaigns have repeatedly targeted satellite communication relay providers like Viasat to disrupt transport and defense logistics. According to recent ENISA threat landscape assessments, the abuse of cyber dependencies has escalated sharply, with public administration networks accounting for nearly 38% of targeted European intrusions—the majority of which flow directly through compromised private tech partners and regional IT integrators. This trend has fueled intense policy debates, serving as the primary catalyst for the European Commission's recent Cybersecurity Package and stricter compliance audits mandated under the NIS2 Directive.