Skip to main content
Two men bound with rope in a dim office, Chinese flag behind them, laptops open and a Cisco logo on a screen.

Editorial illustration for Cisco Academy Alumni Linked to China's Salt Typhoon Hacking Campaign

Cisco Alumni Exposed in China's Salt Typhoon Cyber Espionage

Two Men Tied to China's Salt Typhoon Hackers Likely Trained at Cisco Academy

Updated: 4 min read

It is a jarring pivot from classroom to battlefield. According to security researcher Cary, two men linked to the sprawling Salt Typhoon hacking campaign likely received their foundational skills not in some shadowy cyber school, but through a Cisco Networking Academy, a corporate-sponsored program designed to launch IT careers. “You have two students come out of this Cisco Networking Academy, and they go on to help conduct one of the most extensive telecom collection campaigns that's ever been made public,” he says.

The irony is almost clinical: the same hands that learned network fundamentals in a sanctioned environment are now accused of weaponizing that knowledge against the very industry that trained them. Cisco, for its part, defends the Academy as a global skills-to-jobs pipeline, open to 28 million students across nearly 200 countries. It offers “ethical hacker” courses, though whether Qiu and Yu took them remains unclear.

Cary’s trail began with a September advisory from CISA and international agencies, which named three Chinese companies as fronts for the hackers, and led him to two names with a suspiciously familiar educational pedigree.

"It's just wild that you could go from that corporate-sponsored training environment into offense against that same company," Cary says, describing his theory. "You have two students come out of this Cisco Networking Academy, and they go on to help conduct one of the most extensive telecom collection campaigns that's ever been made public." When WIRED reached out to Cisco about Cary's findings, the company responded in a statement that the Cisco Networking Academy is "a skills-to-jobs program that teaches foundational technology skills and digital literacy, helping millions of students obtain the skills to earn basic certifications for entry-level IT jobs each year," adding that "this program is open to everyone" and has educated more than 28 million students in 190 countries since it launched in 1997. "Cisco remains committed to helping people around the world gain the foundational digital skills needed to access careers in technology and the opportunities they provide," the company's statement concludes.

While the Cisco Networking Academy offers a general education in IT networking--not limited to Cisco products--it does prominently feature "ethical hacker" courses, including penetration testing and security vulnerability discovery and assessment, though it's not clear if Qiu and Yu took those courses. Cary's detective work that turned up Qiu and Yu's apparent participation in the Cisco Networking Academy began in September, when the Cybersecurity and Infrastructure Security Agency released an advisory in partnership with the FBI, the National Security Agency, and agencies in a dozen other countries that linked three companies to Salt Typhoon: Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology.

The Cisco Networking Academy markets itself as a ladder to opportunity, a benign gateway into the global tech workforce. Yet the story of Qiu and Yu suggests that ladders can be climbed in both directions. Their training, presumably built on the same curriculum that equips countless students for legitimate careers, became a launchpad for one of the most sweeping telecom surveillance campaigns ever exposed.

This is not a failure of the program’s ethics; it is a stark reminder that foundational skills are indifferent to intent. The same knowledge that helps a network engineer secure a hospital’s infrastructure can also be used to tap its phone lines. What Cisco offers is a tool, not a moral compass.

And as state-sponsored hacking grows more sophisticated, the line between corporate classrooms and covert operations will only blur further. The question isn’t whether the academy should have known, it’s whether the industry is ready to reckon with the uncomfortable truth that its own training grounds may be nurturing the very threats it spends billions to defend against.

Common Questions Answered

How are Cisco Networking Academy alumni connected to the Salt Typhoon hacking campaign?

Two individuals who graduated from Cisco's Networking Academy were found to be involved in China's extensive Salt Typhoon hacking campaign targeting telecommunications infrastructure. This connection suggests a potential misuse of professional training skills for cyber espionage purposes.

What concerns does the Salt Typhoon hacking campaign raise about technology training programs?

The involvement of Cisco Networking Academy graduates in the Salt Typhoon campaign highlights potential vulnerabilities in professional training environments. It raises questions about how corporate-sponsored educational programs might unintentionally become pathways for cyber threat actors to develop sophisticated hacking capabilities.

What is the significance of the Salt Typhoon hacking campaign in cybersecurity?

The Salt Typhoon hacking campaign is described as one of the most extensive telecom collection campaigns ever made public, targeting critical telecommunications infrastructure. The involvement of trained networking professionals adds a complex layer to understanding how state-sponsored cyber operations recruit and develop technical talent.

LIVE03:21OpenAI's Miles Wang in Talks for USD 2B AI Drug Discovery Startup