**
2 Men Linked to China's Salt Typhoon Hacker Group Likely Trained in a Cisco 'Academy'
**Cisco's Networking Academy, a global training program designed to educate IT students in the basics of IT networks and cybersecurity, proudly touts its accessibility to participants around the world: "We believe education can be the ultimate equalizer, enabling anyone, regardless of background, to develop expertise and shape their destiny in a digital era," reads the first line on its website. But that laudable statement takes on a different tone when considering the "destiny" of those students appears to be linked to one of the most successful Chinese state-sponsored hacking operations ever to target the West.
Dakota Cary, a researcher at cybersecurity firm SentinelOne and the Atlantic Council, has closely tracked the Chinese state-sponsored hacker group known as Salt Typhoon. The cyberespionage group gained notoriety last year when it was revealed that the hackers had penetrated at least nine telecom companies and gained the ability to spy on Americans' real-time calls and texts, specifically targeting then-presidential and vice presidential candidates Donald Trump and JD Vance, among many others.
Salt Typhoon has come to be known for its sophisticated hacking of network devices, including those sold by Cisco, the world's biggest networking company. US government agencies have warned that the hackers exploited Cisco's vulnerabilities to obtain user credentials and stealthily move through IT networks without planting malware on victims' machines that can be detected by typical security measures.
Cary believes he's deduced where a couple of the individuals tied to Salt Typhoon's hacking spree may have learned their skills. He found the names of two partial owners of contract firms linked to Salt Typhoon in a recent US government advisory about the group. Those names—Qiu Daibing and Yu Yang—also appeared in university records, showing that students with the same two names had, years earlier, placed in the Cisco Networking Academy Cup, a competition designed to test participants on the knowledge taught in Cisco's Networking Academy training program.
"It's just wild that you could go from that corporate-sponsored training environment into offense against that same company," Cary says, describing his theory. "You have two students come out of this Cisco Networking Academy, and they go on to help conduct one of the most extensive telecom collection campaigns that's ever been made public."
Cisco responded to WIRED about Cary's findings in a statement that the Cisco Networking Academy is "a skills-to-jobs program that teaches foundational technology skills and digital literacy, helping millions of students obtain the skills to earn basic certifications for entry-level IT jobs each year." However, Chinese-language instructor materials from 2012 do make extensive references to specific Cisco equipment.
Cary's detective work turned up Qiu and Yu's apparent participation in the Cisco Networking Academy began in September, when the Cybersecurity and Infrastructure Security Agency released an advisory in partnership with the FBI, the National Security Agency, and agencies in a dozen other countries that linked three companies to Salt Typhoon: Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology.
Cary began looking up corporate records for those firms and found that Qiu Daibing owned 45 percent of the shares of Beijing Huanyu Tianqiong, that Yu Yang held the other 55 percent of shares of that company, and that Yu also held 50 percent of the shares of Sichuan Zhixin Ruijie. What's more, Qiu and Yu appear to have filed patents together, suggesting their involvement at Beijing Huanyu Tianqiong went beyond management to technical work, too.
Cary began googling the two men's names and found that two people with those names appeared together in a document posted to the website of the university they appear to have attended, Southwestern Petroleum University in China's Sichuan province. The record shows that individuals with both names placed in the Cisco Networking Academy Cup in 2012: Qiu Daibing and a teammate ranked third nationally across China and first in Sichuan. Yu Yang and another teammate ranked second in Sichuan.
Cary also spotted the LinkedIn page for a Qiu Daibing based in Sichuan who attended Southwestern Petroleum University and listed Ruijie Networks, a company with a different but strangely similar name to one named in the Salt Typhoon advisory, as his only "interest."
To try to determine the probability of those name repetitions being a coincidence, Cary checked two databases of Chinese names and consulted with Yi Fuxian, a professor of Chinese demography at the University of Wisconsin–Madison. The name Qiu Daibing—or 邱代兵 in Chinese characters—turned out to be a relatively unlikely name to show up twice just by chance, he says.
The surname 邱 alone, Yi confirmed to WIRED, represents just 0.27 percent of Chinese names, and in combination with the specific 代兵 given name would represent a far smaller percentage. The name Yu Yang (余洋 in Chinese characters) is more common. But the two names appearing in association seems less likely to be a coincidence, Cary theorizes.
"The sheer improbability of somebody having this name also being paired with a Yu Yang, having this skill set and going to the same university in the same location where these companies are registered, it's just an incredibly small chance that these are not the right people," Cary argues.
WIRED attempted to contact Qiu Daibing and Yu Yang via both Qiu Daibing's LinkedIn page and an email address on the website of Beijing Huanyu Tianqiong but received no response. If Cary's theory is correct, it doesn't represent a flaw or security oversight in Cisco's program, he says.
Instead, it points to a tough-to-avoid issue in a globalized market where technology products—and even training in the technical details of those products—are widely available, including to potential hacking adversaries. Cary argues that the issue has only become more glaring, however, as China has tried for years to replace Cisco equipment and other Western devices in its own networks with domestic alternatives.
"If China is moving in the direction of actually removing these products from Chinese networks," Cary asks, "who's still interested in learning about them?"
China has, meanwhile, increasingly restricted its own information-sharing with the global cybersecurity community. John Hultquist, chief analyst at Google's Threat Intelligence Group, points out that China has pressured security researchers not to present findings at international conferences.
"It's like we're in a sharing group, and they've told us straight to our face that they're not going to reciprocate," Hultquist says. "We're benefiting them with our programs. But it's not going in the other direction."