**Researcher Claims Salt Typhoon Cyber Spies Attended Cisco Training Scheme**

The allegations have sparked concerns about the potential misuse of cybersecurity training programs by nation-state hackers.

A security researcher specializing in tracking China threats has made a bombshell claim: two members of the notorious Chinese state hacking group, Salt Typhoon, attended a training scheme run by networking giant Cisco. The revelation raises questions about the potential for cybersecurity training programs to be exploited by malicious actors.

According to Dakota Cary, a researcher at SentinelLabs, Yu Yang and Qiu Daibing, two alleged members of Salt Typhoon, were former attendees of the 2012 Cisco Networking Academy Cup in China. The initiative, which is still running today, provides beginners with foundational cybersecurity skills through a series of competitions and training sessions.

Both Yu and Qiu are co-owners of Beijing Huanyu Tianqiong, one of the Chinese tech companies identified by international security advisories as being fronts for Salt Typhoon activity. Cary's investigation revealed that Yu and Qiu represented Southwest Petroleum University in the Cisco academy cup in China, with Yu's team placing second in the Sichuan region and Qiu's team winning the competition in their region and later placing third nationally.

Cary noted a link between the training provided by the Cisco Networking Academy Cup and the products that Salt Typhoon allegedly exploited at Beijing's behest. He stated, "The Cisco Networking Academy began in 1997 and entered China's market in 1998. Among the content covered in Cisco Networking Academy were many of the products Salt Typhoon exploited, including Cisco IOS and ASA Firewalls."

Salt Typhoon was first publicly disclosed in 2024, with international cyber agencies reporting that the group carried out an expansive campaign that compromised at least 80 global telecoms companies. The attacks allowed China to snoop on secret communications between elected officials, US law enforcement's CALEA requests, and more.

Cary compared the situation to a classic tale of "skilled master trains apprentice, apprentice masters skills with tutelage, apprentice usurps the master owing to some core ideological difference between the two that festers over time." He noted that while there is no evidence to suggest that Cisco or its academy cup played any direct role in Yu and Qiu's later work as cyberspies for Beijing, the findings serve as a reminder that knowledge of offensive capabilities is likely in enemy hands.

Cary warned vendors offering local training in geopolitically unfriendly regions to be aware of this risk. He also emphasized that educational background is not a reliable predictor of workplace capability and suggested that offensive teams may benefit from sending their own people through similar training initiatives like Huawei's ICT academy.

The findings have sparked concerns about the potential for cybersecurity training programs to be exploited by nation-state hackers. While Cisco has yet to respond to The Register, Cary's research serves as a reminder of the importance of transparency and accountability in the tech industry.