Two Men Tied to China's Salt Typhoon Hackers Likely Trained at Cisco Academy
Why does a Cisco‑run classroom matter when a nation‑state hacking crew is on the rise? The investigation that landed two Chinese nationals in the crosshairs of U.S. investigators points to a surprising link: both men appear to have emerged from the Cisco Networking Academy, a program that normally grooms engineers for corporate networks.
Yet the same individuals are now accused of feeding Salt Typhoon, a group credited with one of the most extensive telecom‑equipment data harvests on record. While the academy’s curriculum focuses on building and securing infrastructure, the alleged trajectory flips that intent on its head, turning graduates into the very attackers the training was meant to defend against. The theory, outlined by cybersecurity analyst Cary, hinges on the irony of a corporate‑sponsored pipeline producing talent that later weaponizes the very systems it once protected.
This tension between education and exploitation frames the following observation.
"It's just wild that you could go from that corporate-sponsored training environment into offense against that same company," Cary says, describing his theory. "You have two students come out of this Cisco Networking Academy, and they go on to help conduct one of the most extensive telecom collection campaigns that's ever been made public." When WIRED reached out to Cisco about Cary's findings, the company responded in a statement that the Cisco Networking Academy is "a skills-to-jobs program that teaches foundational technology skills and digital literacy, helping millions of students obtain the skills to earn basic certifications for entry-level IT jobs each year," adding that "this program is open to everyone" and has educated more than 28 million students in 190 countries since it launched in 1997. "Cisco remains committed to helping people around the world gain the foundational digital skills needed to access careers in technology and the opportunities they provide," the company's statement concludes.
While the Cisco Networking Academy offers a general education in IT networking--not limited to Cisco products--it does prominently feature "ethical hacker" courses, including penetration testing and security vulnerability discovery and assessment, though it's not clear if Qiu and Yu took those courses. Cary's detective work that turned up Qiu and Yu's apparent participation in the Cisco Networking Academy began in September, when the Cybersecurity and Infrastructure Security Agency released an advisory in partnership with the FBI, the National Security Agency, and agencies in a dozen other countries that linked three companies to Salt Typhoon: Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology.
The report ties two men linked to the Salt Typhoon group to Cisco’s Networking Academy, a program that markets itself as a pathway to “shape destiny” through open education. Yet the same “destiny” now appears to intersect with a large‑scale telecom data collection effort targeting the very company that helped train them. Cary’s comment underscores the irony: “It’s just wild that you could go from that corporate‑sponsored training environment into offense against that same company.” The article does not detail how the curriculum translated into the alleged offensive actions, leaving a gap between classroom basics and the sophisticated operations described.
Whether the Academy’s content directly enabled the hackers, or merely provided a foundation later repurposed, remains unclear. Cisco’s public mission and the alleged outcomes stand in stark contrast, prompting questions about the oversight of such training pipelines. Ultimately, the connection is documented, but the causal chain from education to exploitation is not fully established.
Further Reading
- Two Men Tied to China’s ‘Salt Typhoon’ Hackers Likely Trained at Cisco Academy, U.S. Says - The New York Times
- Salt Typhoon: How a China-Backed Hacking Crew Turned Network Gear into a Global Spy Platform - WIRED
- China-Linked ‘Salt Typhoon’ Hackers Exploited Cisco Gear in Massive Telecom Spying Campaign, Western Governments Warn - The Hacker News
- China’s Salt Typhoon APT Used Cisco Flaw and Stolen Credentials to Hit U.S. Telecoms - BleepingComputer
- How Vendor Training Pipelines Are Feeding Nation-State Cyber Operations - Dark Reading
More in Industry Applications
Startup launches Hyprdrive, self‑driving car software aimed at new category
Why does a startup’s software matter when the market is already crowded with autonomous‑driving...
Reasoning models top all three CFA exam levels despite verbosity bias
Why does a language model’s triumph on the CFA exams matter beyond headline numbers?
Rivian builds AI chips for driving with efficiency/performance, ASIL compliance
Rivian’s decision to design its own AI silicon marks a clear shift from relying on off‑the‑shelf...
FastAPI tutorial installs fastapi, uvicorn, scikit-learn, pydantic, joblib
Why does a handful of packages matter when you’re trying to serve a machine‑learning model over the...
Master fundamentals before neural networks; core algorithms power business
The roadmap to a 2026 data‑science career is filling up fast, and hiring managers are already...
Common Questions Answered
What connection does the article make between the Cisco Networking Academy and the Salt Typhoon hacking group?
The article reports that two Chinese nationals linked to the Salt Typhoon group appear to have been trained through Cisco's Networking Academy, suggesting the corporate‑sponsored program inadvertently supplied skills later used in a large‑scale telecom data‑harvest campaign.
How did U.S. investigators become involved in the case of the two men tied to Salt Typhoon?
U.S. investigators identified the two Chinese nationals as participants in the Salt Typhoon operation after tracing their activities to an extensive telecom‑equipment data collection effort, prompting a cross‑border investigation that highlighted their Cisco Academy background.
What irony does Cary highlight regarding the Cisco‑run classroom and the subsequent hacking activities?
Cary points out the irony that individuals trained in a Cisco‑run networking classroom—intended to prepare engineers for corporate networks—later used that knowledge to conduct offensive operations against the same company's ecosystem as part of the Salt Typhoon campaign.
What statement did Cisco issue in response to the findings about its Networking Academy graduates being linked to Salt Typhoon?
Cisco responded by emphasizing that the Networking Academy is a skills‑development program designed to shape careers, distancing itself from any wrongdoing and noting that the curriculum is not intended for offensive cyber activities.