A security researcher specializing in tracking China threats claims two of Salt Typhoon’s members were former attendees of a training scheme run by Cisco.
SentinelLabs’ Dakota Cary linked Yu Yang and Qiu Daibing, two alleged members of the Chinese state hacking group, to participants of the 2012 Cisco Networking Academy Cup.
The initiative is still going today. It typically runs for a few months and is geared toward beginners learning foundational cybersecurity skills, which are then tested in competitions like capture the flag events.
Both Yu and Qiu are co-owners of Beijing Huanyu Tianqiong, one of the Chinese tech companies that international security advisories specify as being fronts for Salt Typhoon activity.
Digging into their pasts, Cary found that Yu and Qiu represented Southwest Petroleum University in Cisco’s academy cup in China. Yu’s team placed second in the Sichuan region, while Qiu’s team won it and later placed third nationally, despite the university not carrying a significant pedigree in academic excellence.
The researcher also noted the link between Yu and Qiu’s participation in Cisco Networking Academy Cup, the training that came with it, and the products he says they later went on to exploit at Beijing’s behest.
He said: “The Cisco Networking Academy began in 1997 and entered China’s market in 1998. Among the content covered in Cisco Networking Academy were many of the products Salt Typhoon exploited, including Cisco IOS and ASA Firewalls.”
First publicized in 2024, international cyber agencies have since said that the expansive campaign carried out by Salt Typhoon led to compromises of at least 80 global telecoms companies.
Those attacks allowed China to snoop on secret communications between elected officials, US law enforcement’s CALEA requests, and more. The campaign remains one of the most severe and sensitive cybersecurity breaches in US history.
“All of that high-tech novelty disguises a tale as old as time: skilled master trains apprentice, apprentice masters skills with tutelage, apprentice usurps the master owing to some core ideological difference between the two that festers over time,” Cary said.
“Gordon Ramsay’s feud with Marco Pierre White, Anakin’s rise under Obi-Wan Kenobi, and Mao Zedong’s study of communism under Chen Duxiu all fit the mold.”
It should be said, and Cary acknowledged it himself, that there is nothing to suggest that Cisco or its academy cup played any direct role in the pair later working as cyberspies for Beijing.
“The program itself is not cause for concern, nor should participation in it be construed as such.”
Cary said the findings suggest that any vendor offering local training in geopolitically unfriendly regions should be aware that knowledge of offensive capabilities is likely in enemy hands.
They also serve as a reminder that educational background is not a reliable predictor for workplace capability, and that offensive teams may benefit from sending their own people through similar training initiatives like Huawei’s ICT academy.
“Only in hindsight, and with the story of Qiu and Yu, can security researchers now see how those efforts may have incidentally boosted offensive researchers,” said Cary. “Microsoft’s sharing of source code with the MSS has long been touted as a Faustian bargain by the security community.
“Education initiatives fall short of such acclaim, but may come to present more risk than return as the Chinese Communist Party remakes the country’s computer networks with home-grown technology – as the Delete America document makes clear is their goal.”
The Register contacted Cisco for a response. ®