When the digital blackout hit the lecture hall

Sapienza University of Rome

Between the night of February 1 and February 2, 2026, Sapienza University of Rome experienced something far more serious than a routine IT outage. What struck its campus was a full digital blackout that simultaneously knocked out portals, internal networks, and administrative services, forcing one of Europe’s largest universities into an improvised return to analogue operations. Students found themselves queuing at physical info points, exams continued but grade recording stalled, and administrative deadlines were pushed back as the institution scrambled to contain the damage.

At the heart of the crisis was Infostud, the university’s integrated platform for exam bookings, academic records, payments, and certifications. When Infostud went dark, it triggered a cascade of failures across every service that depended on it, including internal email systems and real-time administrative workflows. The suspension of digital operations was not merely inconvenient: it represented a complete loss of control over processes that, by design, are supposed to be resilient and independently verifiable.

According to reporting by Blasting News, the attack was carried out using the ransomware BabLock, also known as Rorschach, a sophisticated piece of malware first identified in 2023. The malware, attributed to a group operating under the signature Femwar02, is built from code fragments derived from Babuk, LockBit v2.0, and DarkSide, making it particularly fast at encrypting files and difficult to contain once deployed. The attackers are believed to have exploited technical vulnerabilities or a compromised administrator account to gain initial access to the university’s network.

BabLock, bitcoin and the logic of extortion

What transformed a technical incident into a political case was the mechanism of extortion that followed the breach. Consistent with the BabLock playbook, the attackers left instructions for administrators and initiated a negotiation over decryption keys, reportedly demanding up to one million dollars in bitcoin with a 72-hour ultimatum and the explicit threat of publishing exfiltrated data if the ransom went unpaid. The countdown timer, a standard feature of modern ransomware campaigns, is designed to maximize pressure and minimize the institution’s room for deliberation.

The reputational damage extended beyond the technical disruption. On dark web circuits accessible via Tor, offers appeared claiming to sell academic documents attributed to Sapienza, complete with packages mimicking the university’s official identity. Whether these listings were based on actual exfiltrated data or were opportunistic fraud riding the media wave, the effect was identical: the credibility of a public institution was put up for sale. When someone attempts to monetize your identity, the attack is no longer about data alone. It becomes an assault on trust and authority, the two foundations that allow a state institution to function.

The restoration process, when it arrived, involved forensic cleanup, backup validation, and staged service reactivation. But even as Infostud came back online and the university moved toward normal operations, a critical question remained unanswered: what data was actually exfiltrated, in what volume, and what are the potential future uses? Operational damage ends when you restart your systems; strategic damage ends only when you know precisely what left your digital house.

The Viminale breach: 5,000 Digos agents exposed

The second incident is of an entirely different magnitude. A group of hackers linked to Chinese intelligence managed to penetrate the network of the Viminale, Italy’s Ministry of the Interior, and extract files containing the identities, roles, and operational locations of approximately 5,000 agents belonging to Digos (Divisione Investigazioni Generali e Operazioni Speciali). As Euronews reported citing La Repubblica, the division targeted is responsible for counterterrorism surveillance, monitoring of foreign communities, and tracking of dissidents from Beijing who have sought refuge in Italy.

digos

The intrusion is believed to have taken place between 2024 and 2025, and was described by investigators as “surgical”: not an attack aimed at disruption or sabotage, but a targeted exfiltration of high-value operational intelligence. This distinction carries real weight. A noisy attack, one that crashes systems or wipes data, is visible, measurable, and declarable. A silent exfiltration often surfaces only months later, and by then the questions multiply: how long did the adversary have access, how many times did they return, and in what ways is the extracted information already being exploited?

The data extracted goes far beyond a staff directory. It provides a map of investigative priorities, revealing which officers are assigned to the most sensitive operations. For Beijing, having that kind of visibility into Italy’s internal security apparatus is worth considerably more than any conventional act of sabotage. If those files include information on officers involved in tracking Chinese dissidents living in Italy, the implications extend to real people whose safety depends on their cases remaining confidential.

The Chinese shadow and the political trap

The Viminale breach does not occur in a political vacuum. In 2024, Interior Minister Matteo Piantedosi traveled to Beijing and met with his counterpart Wang Xiaohong to establish a three-year cooperation plan covering drug trafficking, cybercrime, human trafficking, and organized crime. In a development described as historically significant, China responded, for the first time, to a formal rogatory request from the Prato prosecutor’s office led by Luca Tescaroli, which was investigating the exploitation of workers within Prato’s textile district and its surrounding criminal networks.

The juxtaposition is uncomfortable. While Italy was attempting to build an operational bridge with Beijing to combat transnational crime, actors linked to Chinese intelligence were inside the Viminale’s systems, mapping precisely the people responsible for those investigations. The two timelines overlap in a way that is difficult to dismiss as coincidence. Every diplomatic opening, if not backed by genuine technical security, can become a strategic asset for an adversary with different objectives. Following the discovery of the intrusion, Italian public security authorities reportedly severed all direct operational collaboration with Chinese counterparts, a decision that reflects how seriously the damage was assessed at the highest levels.

This is not the first time Italy has underestimated the information risk embedded in cooperative arrangements. During the COVID pandemic, Russian military medical teams worked inside Italian hospitals, gaining access to structures and information flows at a moment of acute institutional vulnerability. The lesson that should have been drawn then, that every access point is a potential collection vector regardless of the diplomatic context, was apparently not absorbed deeply enough into the country’s security culture.

Rules for others: the compliance paradox

Both incidents land at a specific and consequential moment in Italy’s regulatory calendar. Legislative Decree 138/2024, which transposed the NIS2 Directive into Italian law, entered into force on October 16, 2024. The measure imposes structured obligations on essential and important entities across energy, transport, healthcare, finance, public administration, and digital infrastructure, covering risk management, incident reporting, business continuity, supply chain security, and executive accountability. By April 2025, ACN (Agenzia per la Cybersicurezza Nazionale) was required to publish minimum security measures; full compliance with advanced requirements is expected by October 2026.

For private organizations, NIS2 means audits, mandatory role designations, investment in security infrastructure, incident notification within 24 to 72 hours, and direct liability for senior leadership. The compliance burden is real, and for many smaller entities in critical sectors it represents a significant operational cost. What makes the picture so troubling is the contrast: the same state that demands this discipline from its private sector is currently managing public institutions that failed to protect the Ministry of the Interior and one of the country’s flagship universities within the same fifteen-day window.

NIS2 is not a compliance logo to display at conferences. It is a commitment. It demands that incidents no longer be treated as confidential embarrassments, that security be demonstrated rather than declared, and that governance failures carry consequences. When the public administration itself provides the clearest examples of what non-compliance looks like in practice, the regulatory architecture risks becoming an asymmetric burden: demanding from the outside what it cannot enforce from within. The credibility of ACN, the agency charged with supervising Italy’s national cyber perimeter, rests in part on its capacity to hold public institutions to the same standards it imposes on the private sector. Two incidents in fifteen days suggest that the distance between the written perimeter and the real one remains dangerously wide.