Salt Typhoon Breaches IBM Italy Subsidiary: China's Telecom Espionage Reaches European Infrastructure

China's Salt Typhoon threat actor has extended its telecommunications espionage operations into European infrastructure, with available reporting indicating the group maintained access to an IBM subsidiary in Italy for approximately two weeks before detection. The breach represents a westward expansion of a campaign that has already compromised major US telecommunications carriers, and signals that Salt Typhoon's operational mandate extends well beyond American networks.

According to reporting from cybersecurity researchers and industry sources, the IBM Italy subsidiary was penetrated through techniques consistent with Salt Typhoon's documented tradecraft: exploitation of edge devices, living-off-the-land persistence, and low-and-slow data exfiltration designed to remain beneath standard detection thresholds. The access window of approximately 14 days before remediation is consistent with the group's operational pattern of prolonged dwell time prioritised over volume extraction.

Salt Typhoon — tracked by Microsoft as Silk Typhoon and by other vendors under multiple designations — is assessed with high confidence as operating in support of China's Ministry of State Security signals intelligence collection mission. The group rose to prominence following confirmed compromises of AT&T, Verizon, and Lumen Technologies in 2024, in which it accessed lawful intercept infrastructure — systems maintained to facilitate US government surveillance — for an extended period before expulsion.

The IBM Italy breach is assessed as a deliberate targeting of a high-value managed services provider rather than an opportunistic intrusion. IBM's footprint in European telecommunications infrastructure makes it a high-leverage target: persistent access through a major IT services provider can yield intelligence on dozens of downstream clients without requiring separate intrusions. This approach — targeting trusted IT intermediaries — is consistent with MSS operational doctrine prioritising access breadth over targeted extraction.

Salt Typhoon's demonstrated willingness to operate inside European critical infrastructure — territory long considered lower priority for Chinese cyber operations than US and Indo-Pacific targets — suggests a broader collection mandate. NATO members' communications infrastructure, and the intelligence value of European telecommunications at a period of elevated geopolitical tension, likely drive this expansion. Attribution confidence remains high given the technical indicators, infrastructure overlap, and alignment with known MSS collection priorities.