China-Linked Hackers Breach Italy Interior Ministry to Identify Dissidents Abroad
Italian investigators disclosed that China-linked hackers breached Italy’s Interior Ministry network in February 2026 and reportedly stole personnel data on about 5,000 DIGOS officers, the police units responsible for counterterrorism and political investigations. Italian law enforcement assessed the intrusion was not routine espionage, but part of an effort to identify Chinese nationals overseas whom Beijing viewed as political threats, linking the operation to broader campaigns targeting critics and diaspora communities abroad.
The breach fits a wider pattern of PRC transnational repression in which cyber operations are used alongside surveillance, intimidation, proxy networks, pressure on relatives, covert agents, and misuse of law-enforcement mechanisms to monitor and silence dissidents outside China. Reporting cited Freedom House data attributing 253 of 854 documented physical transnational repression incidents from 2014 to 2022 to the PRC, as well as 2023 U.S. charges against alleged Ministry of Public Security officers tied to the 912 Special Project Working Group and prior allegations involving covert overseas Chinese police service stations and private contractors supporting these activities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
China-linked hackers breach Italy’s Interior Ministry network
In February 2026, Italian investigators disclosed that China-linked hackers breached Italy’s Interior Ministry network and reportedly stole personnel data on about 5,000 DIGOS officers. Italian law enforcement assessed that the intrusion was intended to identify Chinese nationals abroad viewed by the Chinese Communist Party as political threats, rather than serve as routine espionage.
U.S. charges alleged MPS officers tied to 912 Special Project Working Group
In 2023, U.S. authorities brought charges against alleged Chinese Ministry of Public Security officers connected to the 912 Special Project Working Group. The reference cites this as part of the broader pattern of PRC transnational repression abroad.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
How China's Cyber Operations - and the Contractors Behind Them - Target Critics Abroad - Malware Analysis - Malware Analysis, News and Indicators
malware.news
Open sourceHow China's Cyber Operations - and the Contractors Behind Them - Target Critics Abroad
nattothoughts.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
China-Linked Espionage Targeting U.S. Government and Technology Talent
U.S. authorities and researchers are highlighting **China-linked espionage** that increasingly leverages online recruitment and employment channels to access sensitive information. Reporting on recent federal cases describes foreign intelligence services posing as consulting firms, research groups, or recruiters to approach current and former U.S. government personnel—often starting via email or job platforms and escalating through staged interviews, fake websites, and payment offers—to solicit **classified or sensitive information**; multiple Justice Department actions in 2025 reportedly involved such virtual-first recruitment approaches. Separately, a former Google engineer, **Linwei Ding**, was found guilty of **economic espionage and trade secret theft** after prosecutors said he exfiltrated over 2,000 pages of confidential AI supercomputing documents (including TPU/GPU architecture details, orchestration software, SmartNIC networking designs, and internal system configurations) and uploaded them to a personal cloud account while maintaining undisclosed ties to China-based companies and engaging with a Shanghai-sponsored talent program. Broader context from CSIS’ long-running survey of Chinese espionage cases underscores that these incidents fit a sustained pattern since 2000 spanning both **human intelligence** and **cyber-enabled theft** targeting U.S. government and commercial technologies, while noting open-source case lists likely undercount the true scope.
Mar 21, 2026
China-Linked Espionage Targeting Former US Officials and UK Government Communications
Reporting indicates **China-linked intelligence activity** is targeting current and former Western government officials through both human and technical collection. In the US case, a suspected Chinese influence/collection network using a purported consultancy (*Foresight and Strategy*) allegedly approached a former senior State Department official and offered payment to produce an assessment of US policy priorities in Venezuela, consistent with prior research describing a nexus of fake companies and websites used to recruit people with government and think-tank policy experience. In the UK, Chinese state-linked hackers are accused of maintaining years-long access to communications associated with senior Downing Street officials, with reporting alleging compromises affecting phones used by aides to former prime ministers **Boris Johnson, Liz Truss, and Rishi Sunak** dating back to 2021 and discovered in 2024. The activity has been linked by sources to **Salt Typhoon**, a China-aligned espionage group associated with telecom-provider intrusions that can enable collection of call metadata and potentially content (texts/calls), allowing intelligence value even without direct handset malware.
Mar 21, 2026
Reports Highlight China-Led Expansion of Offensive Cyber Operations and Targeting of Defense and Critical Infrastructure
Multiple reports and leaked documents indicate **China-linked cyber operations** are expanding in scale and sophistication, with a strong emphasis on targeting government, telecommunications, and other strategic sectors. A Forescout *Vedere Labs* analysis cited by Cybernews reported China as the top origin of threat operations last year (210), with Russia and Iran also major contributors; the reporting also highlighted suspected China-linked activity tied to a multi-year compromise of South Korea’s **Onnara System**, including theft of civil servants’ **GPKI certificates and credentials**, and noted Taiwan’s National Security Bureau reporting an average of **2.63 million attacks per day** last year. Separately, leaked technical materials reviewed by Recorded Future News describe a purported Chinese internal training environment—part of an integrated system called **“Expedition Cloud”**—used to rehearse offensive cyberattacks against replicas of neighboring countries’ real-world networks, including **power/energy transmission, transportation, and smart home infrastructure**. In parallel, a Google Threat Intelligence Group report warned of a “relentless barrage” of nation-state activity against the **U.S. defense industrial base**, describing a shift beyond classic espionage into **supply-chain attacks, workforce infiltration, and battlefield-adjacent operations**; Google attributed much of the activity to **Chinese, Russian, Iranian, and North Korean** actors and noted continued Russian targeting of organizations supporting Ukraine, including phishing, malware aimed at mobile battlefield-management apps, and attempts to access encrypted messaging platforms.
Mar 21, 2026