Two Chinese hackers accused of running one of Beijing’s biggest cyber-espionage campaigns may have first learned their craft in a beginner-level Cisco training program.
Two alleged members of the Chinese state-sponsored hacking group known as Salt Typhoon may have once been students in a global training program run by Cisco, according to new findings from SentinelLabs researcher Dakota Cary.
Yu Yang and Qiu Daibing are both accused of participating in Beijing’s long-running cyber-espionage campaign.
However, they were discovered to be former competitors in the 2012 Cisco Networking Academy Cup, a beginner-level program designed to introduce students to foundational cybersecurity skills.
The Cisco Networking Academy was launched in 1997 and expanded into the Chinese market in 1998. The initiative is still ongoing up to this day. Every few months, participants studying foundational cybersecurity skills are tested in competitions.
Cary noted an uncomfortable overlap, in which some of the same Cisco technologies taught to students such as Cisco IOS software and ASA firewalls were later targeted and exploited in Salt Typhoon’s operations.
Public records show that Yu and Qiu represented Southwest Petroleum University in the 2012 academy competition.
Yu’s team placed second in the Sichuan regional event, while Qiu’s team won the regional round and went on to place third nationwide. That's a notable achievement given the university is not widely recognized for cybersecurity excellence.
Both men later became co-owners of Beijing Huanyu Tianqiong, a Chinese technology company named by multiple international security advisories as a front organization for Salt Typhoon activity.
Salt Typhoon, has been tied to intrusions into at least 80 global telecommunications companies in 2024, including major companies such as Verizon, AT&T, Viasat, T-Mobile, and Lumen Technologies, and stealing sensitive data, according to joint reports from US and allied cyber agencies.
The disclosure adds a new layer of complexity to the ongoing debate over how global tech companies should engage with foreign training programs, especially in nations where state-backed cyber operations continue to expand in scale and ambition.
“Like other master-apprentice rivalries, the betrayal of Qiu and Yu was based on ideology and, ultimately, nationality,” writes Cary.
“Qiu and Yu are not an oddity – they are evidence of a world in which today’s students can become tomorrow’s rivals with little more than time, opportunity, and a different notion of whose security they serve.”
The researcher also believes that the situation with Qiu and Yu suggests that offensive capabilities against foreign IT products likely emerge when companies begin supplying local training.
“There is a potential risk of such education initiatives inadvertently boosting foreign offensive research,” the researcher states.“As China seeks to delete American-made IT from its tech stacks, these initiatives may present more risk than reward.”
Salt Typhoon remains a serious threat
At the end of August this year, a new joint cybersecurity advisory (CSA) by over a dozen international law enforcement organizations warned that Salt Typhoon continues to target telecoms and critical infrastructure worldwide.
Experts caution that Salt Typhoon remains a major, ongoing threat, urging organizations to adopt the CSA’s mitigation guidelines to detect and evict intrusions, while FBI is on the manhunt with $10 million bounty for information on Salt Typhoon.
In 2024, a US state's Army National Guard network was also hacked by Salt
Typhoon, according to a Department of Homeland Security memo that only came to light this year.
Salt Typhoon is also believed to be behind the hack of the US Treasury Department, in which the threat actors were able to gain access to the laptops of some senior US officials.
US officials allege that Salt Typhoon is doing more than just gathering intelligence. It’s allegedly positioning itself to paralyze US critical infrastructure in case of a conflict with China. Beijing has repeatedly denied being behind the intrusions.
Despite the threat, Trump’s administration seems to have paused plans to sanction China’s Ministry of State Security over last year’s Salt Typhoon intrusions. Reportedly, Washington is concerned that sanctioning Beijing would undermine the trade deal framework both countries agreed to in October.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked