Only last year, the big name of the Yatrix cybersicacy monitored 70 percent more than violations of companies computer systems. Who often don’t know they are under attack.
We are in an Italian company of almost a billion euros in turnover, operating in the metalworking sector. On a normal day of a few months ago, a alarm signal suddenly triggers: someone introduced themselves into the IT system. Not only that.
The technicians discover that the intruders had already entered sixty days before. But after an in -depth analysis, the managers of the company are calm: the hackers have not caused any damage. A thesis that the CEO of the company repeats to Mirko Gatto, founder of the company specialized in Cybersecurity Yarix. Which, however, is not convinced: suspect that things have not gone so well. And his team actually discovers that the attack had lasted more than 60 days, he had been organized by a Chinese groupor connected to China, and its purpose was to steal know How How. An operation conducted with extreme care, exofilting a few data at a time. The result? The tricolor company found himself competing on one of his most important markets with products identical to his, made by Chinese competitors who in fact had blown his place.
“It’s not an isolated case,” says Gatto. “An Italian society operating in the transport and defense sectors suffered a computer attack that seemed a classic redemption request, while in reality it was only a coverage that hid an industrial espionage action”. That of the theft of strategic information for businesses is one of the numerous fronts on which a silent and underground war is combated monitored by specialized centers such as Yarix. Part of the Var Group computer company, Yarix is one of the most recognized Italian actors in the cybersecurity sector. In 2024, his control room analyzed over 485 thousand anomalous or suspicious activities overall at a global level and almost one in three of these events (141 thousand, more 70 percent on 2023) evolved in a violation that has impacted the safety of companies under attack.
Chinese hackers are particularly skilled in industrial espionage. According to the Global Threat Report 2025 of the US company Crowdstrike, their activity has grown by 150 percent in the last year, with an increase in attacks on the financial, manufacturing, media and industrial sectors up to 300 percent. Among the most active groups is APT41, also known as Winnti, Blackfly, or Wicked Panda: it often steals intellectual properties and uses a wide range of sophisticated techniques to maintain persistence in the goals of the victims. Another famous Chinese organization is APT10 (or Menupass Team) responsible for incursions against companies in the construction, engineering, aerospace and telecommunications sectors in Europe, the United States and Japan.
This kind of operations by hackers linked in some way to the Chinese authorities is part of the increasingly greater phenomenon of cybercrime, That we can summarily divide into two large families: the first is represented by the IT attacks by real gangs that take possession of crucial company data and ask for a redemption (Ransomware) or use users’ credentials to sell them or to directly withdraw funds; The second, on the other hand, is guided by the so -called hacktivists, moved by political or ideological motivations, and propose to temporarily make websticals and institutions temporarily, without compromising the integrity or confidentiality of data.
During 2024 they were mapped by Yarix 4,721 ransomware events worldwide conducted by 92 hacker groups. Among these, Ransomanhub is confirmed as the Russian Ransomware Group most active during 2024, contributing by 9.8 percent of the total attacks. Italy is the fourth country most affected by the ransomware, after the United States, the United Kingdom, Canada and before Germany. On the front of the hacktivists’ attacks, the collectives aligned with Russia concentrated their offensive towards Ukrainian objectives, allies of the Kiev government and NATO members, justifying their actions as a response to western involvement in the region. Supporting groups of the Moscow government have extended their influence even beyond the Russia-Ukraine conflict, showing the support for internal movements of some countries that have caused inconvenience at national level (for example the protest of farmers in Europe) overloading with waves of various sites and servers to make them inaccessible. In addition, pro-Arab and Pro-Musulmani actors also operate on the net who instead aimed at nations that have shown political or military support to Israel in his current conflict against Hamas.
Italy was the fifth country most affected by hacktivist groups during 2024, Both from pro-Russian collectives with reasons mainly related to the Italian position to support the Kiev government in the Russia-Ukraine conflict, both from collectives belonging to the Asia-Pacific area, aimed at supporting the Palestinian population and therefore opposed to Italian support in Israel. According to the analyzes of Yarix, the most active hacktivist group in 2024 was the Filorusso non -exam collective (16). In recent months, several Italian banks have been affected by Russian hacktivists, including Intesa Sanpaolo, Bper, Monte dei Paschi di Siena, Banca Popolare di Sondrio, Fineco and Fideuram; Company of the industrial and financial sector such as Leonardo, Edison, Fininvest, Parmalat; various public transport companies; The airports of Milan Linate and Malpensa, the ports of Trieste, Taranto, Genoa, Savona and Vado Ligure, causing slowdowns and temporary blackouts of the websites. The case of data exfiltration to damage the company of a “enemy” country and helping another of a friendly country is something that is halfway between activism sponsored by the state and IT crime for profit. A famous episode concerns Volkswagen: between 2011 and 2015, the Chinese hackers of the Panda group at the service of the Ministry of State Security have stolen thousands of documents from the German car company.
Next to the Chinese, groups of Russian hackers, including Fancy Bear, Void Blizzard (Laundry Bear) And Killnet, they are key actors in this sector. Their operations exploit sophisticated techniques to exfiltrate sensitive data, which are then monetized through illegal sales on Dark Web markets or indirectly through strategic intelligence earnings for Moscow. The tests indicate that the Chinese and Russian espionage agencies Copano and actively exploit cybercriminals, integrating their skills in wider strategic objectives. This symbiotic relationship allows the state to benefit from the efficiency and scale of the criminal undergrowth, while providing potential protection or financial incentives to criminals.
Fancy Bear, for example, is connected to the Russian military intelligence agencythe crane. Its goal is the collection of intelligence, often with a focus on political influence and strategic intuitions. Void Blizzard, also traced as Laundry Bear by Dutch intelligence, focuses on sectors including government, defense, transport, media, non -governmental health organizations. An accident in September 2024 ended with the theft of the contact details of all the police officers of the Netherlands. Killnet, on the other hand, initially emerged as a pro-Russian hacktivist group in 2022 and then moved from patriotic motivations to cybercriminality for profit.
The extracted data are different, ranging from high -value credentials and personal identification information to owner company data and strategic intelligence criticism. These types of data have great value, capable of being exploited for direct financial fraud, corporate espionage or to provide a significant geopolitical lever. The Dark Web acts as a central place for the resale of stolen information. The resilience of this illegal infrastructure, despite the efforts of the police, guarantees a continuous supply of compromised data. It is now evident that the threat to Italian companies is present, multifaceted and constantly growing. It is essential to give priority to robust cybersecurity measures that take into account both the espionage sponsored by the State and the financial cybercriminality. Wanting or nolent we are in the viewfinder and we must defend ourselves.
