Two key players in the notorious Salt Typhoon hacker group are former Cisco Network Academy trainees, according to researchers at SentinelLabs.
An investigation by the firm suggests Yu Yang and Qiu Daibing used their insider product knowledge to compromise telecoms systems in one of the largest intelligence-gathering operations of the decade.
Salt Typhoon collected unencrypted calls and texts between US presidential candidates, key staffers, and China experts.
The Cisco Network Academy began in 1997 and entered the Chinese market in 1998. It has now trained more than 200,000 students in China - most, of course, perfectly reputable.
Qiu and Yu were apparently top students at the 2012 Cisco Network Academy Cup, representing Southwest Petroleum University. However, a little sleuthing revealed that the pair are co-owners of Beijing Huanyu Tianqiong, with Yu also tied to Sichuan Zhixin Ruijie.
Both of these companies were named in a Salt Typhoon cybersecurity advisory by US authorities.
"Among the content covered in Cisco networking academy were many of the products Salt Typhoon exploited, including Cisco IOS and ASA firewalls," said Dakota Cary, a China-focused consultant at SentinelOne.
"Of course, a product training academy educating students on the company’s wares is hardly surprising. More notable is the fact that two students from a regional university, with limited recognition in IT and cybersecurity education participated in the Cisco Network Academy and went on to run one of the most expansive collection operations against global telecommunications firms ever detected and disclosed publicly."
Salt Typhoon has been on a rampage
Salt Typhoon has quickly emerged as one of the most notorious state-sponsored hacker groups globally. As ITPro reported last year, a campaign by the threat group saw it intercept unencrypted calls and texts from high-value US political targets dating back to 2019.
Targets in this campaign spanned a wide range of sectors, focusing mainly on large backbone routers of major telecommunications providers, as well as provider edge and customer edge routers.
The group is still active, with the US Department of Defense (DoD) revealing in July that Salt Typhoon had breached and laid low in the network of an unnamed US state National Guard for almost a year.
In September, the FBI warned that the group was ramping up attacks globally, having hit more than 60 organizations in 80 countries.
Education schemes could cause blowback
SentinelLabs said the unmasking of Qiu and Yu reveals the long-term security risks of global tech education pipelines, which can be exploited by state-linked operators.
"The episode suggests that offensive capabilities against foreign IT products likely emerge when companies begin supplying local training and that there is a potential risk of such education initiatives inadvertently boosting foreign offensive research," said Cary.
"Qiu and Yu are not an oddity; they are evidence of a world in which today’s students can become tomorrow’s rivals with little more than time, opportunity, and a different notion of whose security they serve."
ITPro approached Cisco for comment, but did not receive a response by time of publication.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A new 'top-tier' Chinese espionage group is stealing sensitive data
- Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to hide in networks for months at a time
- China cyber threats: What businesses can do to protect themselves
-
HPE channel leaders say Juniper partners won't be forced to generalize, despite new unified channel strategyNews Does the company embrace specialists or want a full portfolio push? The answer, it seems, is both
-
Google DeepMind partners with UK government to boost AI researchNews The deal includes the development of a new AI research lab, as well as access to tools to improve government efficiency
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
