Cisco’s Networking Academy, a global training program designed to educate IT students in the basics of IT networks and cybersecurity, proudly touts its accessibility to participants around the world: “We believe education can be the ultimate equalizer, enabling anyone, regardless of background, to develop expertise and shape their destiny in a digital era,” reads the first line on its website.
That laudable statement, however, reads a bit differently when the “destiny” of those students appears to be owning a majority stake in companies linked to one of the most successful Chinese state-sponsored hacking operations ever to target the West—and many of Cisco’s own products.
That’s the surprising conclusion of Dakota Cary, a researcher at cybersecurity firm SentinelOne and the Atlantic Council, who, like many security analysts, has closely tracked the Chinese state-sponsored hacker group known as Salt Typhoon. That cyberespionage group gained notoriety last year when it was revealed that the hackers had penetrated at least nine telecom companies and gained the ability to spy on Americans’ real-time calls and texts, specifically targeting then-presidential and vice presidential candidates Donald Trump and JD Vance, among many others. Salt Typhoon has come to be known, in fact, for its sophisticated hacking of network devices—including those sold by Cisco, the world’s biggest networking company. US government agencies have warned that the hackers exploited Cisco’s vulnerabilities to obtain user credentials and stealthily move through IT networks without planting malware on victims’ machines that can be detected by typical security measures.
Now Cary believes he’s deduced where a couple of the individuals tied to Salt Typhoon’s hacking spree may have learned a few of their skills. He found the names of two partial owners of contract firms linked to Salt Typhoon in a recent US government advisory about the group. Those names—Qiu Daibing and Yu Yang—also appeared in university records, showing that students with the same two names had, years earlier, placed in the Cisco Networking Academy Cup, a competition designed to test participants on the knowledge taught in Cisco’s Networking Academy training program.
“It’s just wild that you could go from that corporate-sponsored training environment into offense against that same company,” Cary says, describing his theory. “You have two students come out of this Cisco Networking Academy and they go on to help conduct one of the most extensive telecom collection campaigns that’s ever been made public.”
When WIRED reached out to Cisco about Cary’s findings, the company responded in a statement that the Cisco Networking Academy is “a skills-to-jobs program that teaches foundational technology skills and digital literacy, helping millions of students obtain the skills to earn basic certifications for entry-level IT jobs each year,” adding that “this program is open to everyone” and has educated more than 28 million students in 190 countries since it launched in 1997.
“Cisco remains committed to helping people around the world gain the foundational digital skills needed to access careers in technology and the opportunities they provide,” the company’s statement concludes.
While the Cisco Networking Academy offers a general education in IT networking—not limited to Cisco products—it does prominently feature “ethical hacker” courses, including penetration testing and security vulnerability discovery and assessment, though it’s not clear if Qiu and Yu took those courses.
Cary’s detective work that turned up Qiu and Yu’s apparent participation in the Cisco Networking Academy began in September, when the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory in partnership with the FBI, the NSA, and agencies in a dozen other countries that linked three companies to Salt Typhoon: Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology. Cary began looking up corporate records for those firms and found that Qiu Daibing owned 45 percent of the shares of Beijing Huanyu Tianqiong, that Yu Yang held the other 55 percent of shares of that company, and that Yu also held 50 percent of the shares of Sichuan Zhixin Ruijie. What’s more, Qiu and Yu appear to have filed patents together, suggesting their involvement at Beijing Huanyu Tianqiong went beyond management to technical work, too.
Cary began googling the two men’s names and found that two people with those names appeared together in a document posted to the website of the university they appear to have attended, Southwestern Petroleum University in China’s Sichuan province. The record shows that individuals with both names placed in the Cisco Networking Academy Cup in 2012: Qiu Daibing and a teammate ranked third nationally across China and first in Sichuan. Yu Yang and another teammate ranked second in Sichuan.
Cary also spotted the LinkedIn page for a Qiu Daibing based in Sichuan who attended Southwestern Petroleum University and listed Ruijie Networks, a company with a different but strangely similar name to one named in the Salt Typhoon advisory, as his only “interest.”
To try to determine the probability of those name repetitions being a coincidence, Cary checked two databases of Chinese names and consulted with Yi Fuxian, a professor of Chinese demography at the University of Wisconsin–Madison. The name Qiu Daibing—or 邱代兵 in Chinese characters—turned out to be a relatively unlikely name to show up twice just by chance, he says. The surname 邱 alone, Yi confirmed to WIRED, represents just 0.27 percent of Chinese names, and in combination with the specific 代兵 given name would represent a far smaller percentage.
The name Yu Yang (余洋 in Chinese characters) is more common. But the two names appearing in association seems less likely to be a coincidence, Cary theorizes. “The sheer improbability of somebody having this name also being paired with a Yu Yang, having this skill set and going to the same university in the same location where these companies are registered, it’s just an incredibly small chance that these are not the right people,” Cary argues.
WIRED attempted to contact Qiu Daibing and Yu Yang via both Qiu Daibing’s LinkedIn page and an email address on the website of Beijing Huanyu Tianqiong, but received no response.
If Cary’s theory that two men linked to Salt Typhoon were in fact trained in Cisco’s Networking Academy is correct, it doesn’t represent a flaw or security oversight in Cisco’s program, he says. Instead, it points to a tough-to-avoid issue in a globalized market where technology products—and even training in the technical details of those products—are widely available, including to potential hacking adversaries.
Cary argues that the issue has only become more glaring, however, as China has tried for years to replace Cisco equipment and other western devices in its own networks with domestic alternatives. “If China is moving in the direction of actually removing these products from Chinese networks,” Cary asks, “who’s still interested in learning about them?”
China has, meanwhile, increasingly restricted its own information-sharing with the global cybersecurity community, points out John Hultquist, chief analyst at Google’s Threat Intelligence Group, for instance, by pressuring security researchers not to present findings at international conferences.
“It’s like we’re in a sharing group and they’ve told us straight to our face that they’re not going to reciprocate,” Hultquist says. “We’re benefiting them with our programs. But it’s not going in the other direction.”
The post 2 Men Linked to China’s Salt Typhoon Hacker Group Likely Trained in a Cisco ‘Academy’ appeared first on Wired.
