Research Suggests Two Men Linked to China’s Salt Typhoon Hacker Group May Have Trained Through Cisco’s Global Academy

A surprising connection has emerged between Cisco’s worldwide IT training program and one of China’s most sophisticated state linked cyberespionage groups. New research indicates that two individuals tied to companies associated with the Salt Typhoon hacking operation appear to have participated in a Cisco sponsored networking competition years before the group exploited vulnerabilities in Cisco devices as part of a major intelligence gathering effort.

Salt Typhoon drew global attention after US agencies revealed that the group had breached at least nine telecommunications companies, gaining access to real time phone and text data belonging to political figures including former presidential candidates. The group specialises in infiltrating network infrastructure, often relying on weaknesses in devices manufactured by Cisco, one of the world’s leading networking companies.

Researcher Dakota Cary, from SentinelOne and the Atlantic Council, discovered that the names of two partial owners of firms linked to Salt Typhoon also appeared in records from Cisco’s Networking Academy Cup, a competition tied to the company’s long running training program. According to university documents, individuals with the same names placed highly in the 2012 competition while enrolled at Southwestern Petroleum University in Sichuan.

The men, identified in US government advisories as Qiu Daibing and Yu Yang, hold major ownership stakes in firms linked to Salt Typhoon’s operations. Corporate filings show they share ownership of Beijing Huanyu Tianqiong Information Technology, and Yu also partly owns Sichuan Zhixin Ruijie Network Technology. Patent filings list both men as collaborators, indicating they played technical rather than administrative roles within the organisations.

Cary’s analysis involved reviewing name frequencies in Chinese demographic databases and cross checking university records. He concluded that the probability of two unrelated individuals sharing the same uncommon combination of names, attending the same institution and later forming part of the same corporate network, was extremely low. While not conclusive proof, the overlap strongly suggests that Qiu and Yu may have trained in networking fundamentals through Cisco’s Academy before entering environments linked to offensive cyber operations.

Cisco responded to the findings by underscoring that its Academy is a global skills program designed to teach fundamental IT and networking concepts, including digital literacy and entry level cybersecurity skills. The company stated that the program has trained more than 28 million students worldwide and remains open to all. Courses include modules on penetration testing and vulnerability discovery, though it is unclear whether the two individuals took that track.

Cary argues that the potential link highlights a structural challenge in worldwide technology ecosystems. Open access to training and widely distributed hardware inevitably means adversaries can study the tools they later exploit. He noted that the situation is particularly ironic given China’s ongoing push to remove Western networking equipment from its domestic infrastructure. If reliance on Cisco devices is diminishing within China, the expertise gained by figures such as Qiu and Yu is most likely being applied outside its borders.

Security analysts say this disconnect is made more complex by China’s increasingly restrictive approach to cybersecurity information sharing. Researchers and organisations have reported growing pressure on Chinese experts not to present findings internationally, creating an asymmetry where global companies provide training and transparency, while reciprocal insights from China are diminishing.

Salt Typhoon’s activities remain under close scrutiny, and the potential academic origins of some of its contributors provide new context for how cyber operators gain expertise. While the Cisco program itself is not at fault, the findings underscore how global training platforms can unintentionally support actors whose goals diverge sharply from their stated mission of broadening educational access in the digital era.

Photo Credit: DepositPhotos.com