The Unexpected Journey: From Cisco Networking Academy to State-Sponsored Cyber Espionage
In the vast and ever-evolving landscape of cybersecurity, surprising connections can emerge from the most unexpected places. Imagine a global training program, designed to empower individuals with the foundational skills to build and secure our digital world, then discover that individuals linked to one of the most sophisticated Chinese state-sponsored hacking operations might have honed their craft within its very walls. This is precisely the intriguing, and frankly, startling, revelation brought to light by cybersecurity researcher Dakota Cary.
Cary, a keen observer of the cyber threat intelligence firm SentinelOne and a fellow at the Atlantic Council, has been meticulously tracking the activities of a notorious Chinese state-sponsored hacking collective known as Salt Typhoon. This group has recently garnered significant attention for its audacious cyberespionage campaigns. Last year, it was revealed that Salt Typhoon had successfully infiltrated at least nine telecommunications companies, gaining the alarming capability to eavesdrop on real-time calls and text messages of Americans, with a particular focus on prominent political figures like then-presidential and vice-presidential candidates Donald Trump and JD Vance.
Salt Typhoon’s notoriety stems from its sophisticated exploitation of network devices, with a particular focus on hardware manufactured by Cisco, the undisputed giant in the networking industry. US government agencies have sounded the alarm, detailing how these hackers skillfully exploited vulnerabilities in Cisco devices. Their methods were stealthy, allowing them to obtain user credentials and navigate IT networks undetected. Crucially, they managed to achieve this without deploying malware onto victims’ machines, making their intrusions incredibly difficult for conventional security measures to detect.
Unraveling the Thread: Names in the Shadows
Now, Cary’s in-depth research suggests a potential origin story for some of the individuals involved in Salt Typhoon’s disruptive activities. His investigation unearthed a significant link: the names of two individuals who hold partial ownership in companies associated with Salt Typhoon also appear in records related to a Cisco training program. These names, Qiu Daibing and Yu Yang, are central to Cary’s compelling hypothesis.
The initial clue came from a US government advisory released in September by the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI, the National Security Agency, and international partners. This advisory implicated three specific companies in Salt Typhoon’s operations: Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology.
Cary, diving into corporate records for these entities, discovered that Qiu Daibing held a 45 percent stake in Beijing Huanyu Tianqiong Information Technology, while Yu Yang owned the remaining 55 percent of that company. Furthermore, Yu Yang also held a 50 percent share in Sichuan Zhixin Ruijie Network Technology. The depth of their involvement appeared to extend beyond mere management; Qiu and Yu had also jointly filed patents, hinting at their active participation in technical work within these firms.
The Cisco Networking Academy Cup: A Surprising Connection
With these names identified, Cary embarked on a digital deep dive. A simple Google search for Qiu Daibing and Yu Yang led him to university records from Southwestern Petroleum University in China’s Sichuan province. The unearthed document revealed that individuals with these identical names had participated in the Cisco Networking Academy Cup in 2012. This competition is specifically designed to test participants’ knowledge acquired through Cisco’s globally recognized Networking Academy training program.
The records indicated that Qiu Daibing, alongside a teammate, secured third place nationally across China and first place within Sichuan province. Yu Yang, with another teammate, ranked second in Sichuan. This confluence of names appearing together in both ownership of companies linked to a major hacking group and as competitors in a Cisco-sponsored technical challenge is what struck Cary as highly improbable to be a mere coincidence.
The Unlikelihood of Chance: Demographics and Digital Footprints
To rigorously assess the probability of this name overlap being coincidental, Cary consulted with Yi Fuxian, a distinguished professor of Chinese demography at the University of Wisconsin-Madison. The name Qiu Daibing, rendered in Chinese characters as 邱代兵, is statistically a relatively uncommon combination. Professor Yi confirmed that the surname 邱 alone accounts for approximately 0.27 percent of Chinese names, making the specific given name combination 代兵 an even rarer occurrence when paired with it.
While Yu Yang (余洋) is a more common name, Cary argues that the crucial factor is the association of both names appearing together in such specific contexts. He theorizes that the sheer improbability of an individual with the name Qiu Daibing, possessing the skills and background to be involved in advanced hacking, also being paired with a Yu Yang, attending the same university in the same region where these implicated companies are registered, represents an extraordinarily low chance of these not being the same individuals.
Cary also noted a LinkedIn profile for a Qiu Daibing based in Sichuan, who attended Southwestern Petroleum University. This profile listed Ruijie Networks – a company with a name remarkably similar to one named in the Salt Typhoon advisory – as their sole ‘interest.’ While not directly implicating Ruijie Networks, it further strengthens the circumstantial evidence linking individuals with these names and backgrounds to the cybersecurity realm.
WIRED’s attempts to contact Qiu Daibing and Yu Yang through the LinkedIn profile and an email address associated with Beijing Huanyu Tianqiong were met with no response.
Cisco’s Response: A Global Program’s Reach
Cisco, when approached by WIRED regarding Cary’s findings, provided a statement emphasizing the broad reach and educational intent of its Networking Academy. "The Cisco Networking Academy is a skills-to-jobs program that teaches foundational technology skills and digital literacy, helping millions of students obtain the skills to earn basic certifications for entry-level IT jobs each year," the company stated. They highlighted that the program is "open to everyone" and has educated over 28 million students across 190 countries since its inception in 1997.
"Cisco remains committed to helping people around the world gain the foundational digital skills needed to access careers in technology and the opportunities they provide," the statement concluded. It’s important to note that while the Cisco Networking Academy provides a comprehensive IT networking education, which isn’t exclusively focused on Cisco products, it does offer courses in areas like ethical hacking, penetration testing, and security vulnerability assessment. It remains unclear whether Qiu and Yu specifically took these advanced security-focused modules.
A Globalized Dilemma: Skills in the Wrong Hands?
If Cary’s hypothesis holds true – that individuals linked to Salt Typhoon received training through Cisco’s Networking Academy – it doesn’t necessarily point to a flaw or a security lapse in Cisco’s program itself. Instead, it underscores a challenging, perhaps unavoidable, reality in our increasingly globalized technological landscape. The accessibility of cutting-edge technology and the training required to master it means that such knowledge can also fall into the hands of adversaries, including state-sponsored hacking groups.
This issue becomes even more pronounced given China’s stated ambitions to phase out Western technology, including Cisco equipment, in favor of domestic alternatives. As Cary points out, if China is actively working to remove these products from its own networks, the question arises: who within that ecosystem still has a vested interest in deeply understanding their intricacies?
John Hultquist, chief analyst at Google’s Threat Intelligence Group, adds another layer to this concern, noting China’s increasing restriction of information sharing with the global cybersecurity community. He cites instances where Chinese authorities have pressured researchers against presenting findings at international conferences, creating a one-sided flow of information. "It’s like we’re in a sharing group, and they’ve told us straight to our face that they’re not going to reciprocate," Hultquist observes. "We’re benefiting them with our programs. But it’s not going in the other direction."
The Broader Implications for Cybersecurity
The findings, if substantiated, raise profound questions for the cybersecurity industry and educational institutions alike. While Cisco’s Networking Academy serves a vital purpose in building a global talent pool for the tech industry, the potential for its curriculum to be leveraged by malicious actors highlights the inherent complexities of knowledge dissemination in a geopolitical climate fraught with cyber threats.
The case of Salt Typhoon and its potential connection to foundational IT training serves as a stark reminder that cybersecurity is not just about sophisticated tools and exploits, but also about the human element and the education that shapes individuals’ capabilities. As the digital battlefield continues to expand, understanding these intricate connections becomes paramount in our ongoing efforts to defend against emerging cyber threats.
This story is a testament to the relentless detective work of cybersecurity researchers and the critical importance of transparency in the digital age. It compels us to consider how the very tools and knowledge meant to secure our digital future can, in the wrong hands, become instruments of espionage and disruption.