From Cisco Student Rivalry to Global Hackers: Salt Typhoon Breaches 80+ Telecos for Intelligence

A new report from SentinelLabs sheds light on the origins of “Salt Typhoon,” the hacking group responsible for one of the most brazen intelligence collection efforts of the last decade. The operators, once eager students competing in a Cisco networking competition, have since weaponized that very training to compromise global telecommunications infrastructure.

First detected in September 2024, the Salt Typhoon campaign has left a trail of compromised networks in its wake. According to a recent advisory, the group penetrated over 80 telecommunications companies globally, harvesting unencrypted calls and text messages from high-profile targets, including U.S. presidential candidates and Washington experts.

Most alarmingly, the group didn’t just listen in; they broke into the systems designed for law enforcement itself. The report notes that “Systems embedded in telecommunications companies for CALEA, which facilitates lawful intercept of criminals’ communications, were also breached by Salt Typhoon”.

Behind the keyboard of this geopolitical storm are two individuals identified as Yuyang (余洋) and Qiu Daibing (邱代兵). Far from being shadowy, unknown figures, they are co-owners of companies explicitly named in cybersecurity advisories: Beijing Huanyu Tianqiong and Sichuan Zhixin Ruijie.

The two have a long, documented history of collaboration, working closely to “file patents and orchestrate the attacks”.

The duo’s path to state-sponsored hacking began not in a military bunker, but in a classroom. Thirteen years prior to being named in a U.S. advisory, Yuyang and Qiu Daibing were students at Southwest Petroleum University (SWPU), a regional institution with “relatively few accolades for its cybersecurity and information security programs”.

Despite their school’s modest reputation, the pair excelled. In the 2012 Cisco Network Academy Cup, representing SWPU, Yu Yang’s team placed second in Sichuan, while Qiu Daibing’s team took first prize and eventually secured third place nationally.

The report draws a poignant parallel to classic rivalries, noting that this high-tech espionage story “disguises a tale as old as time: skilled master trains apprentice… apprentice usurps the master”. It compares their trajectory to famous falling-outs, such as “Gordon Ramsay’s feud with Marco Pierre White” and “Anakin’s rise under Obi-wan Kenobi”.

The revelation highlights a critical vulnerability in global tech education initiatives. The Cisco Network Academy, which entered China in 1998, trained students on the very products—Cisco IOS and ASA Firewalls—that Salt Typhoon later exploited.

While the academy has trained over 200,000 students in China, the success of Yuyang and Qiu underscores a “Ratatouille” lesson for the cybersecurity world: “Anyone can cook”. Two students from a poorly-regarded university used standard corporate training to build an offensive capability that rivals nation-states.

The incident serves as a stark warning for western technology firms operating in geopolitical hotspots. The report suggests that “offensive capabilities against foreign IT products likely emerge when companies begin supplying local training,” inadvertently boosting foreign offensive research.

While such initiatives drove sales for decades, the landscape has shifted. As the report concludes, “As China seeks to delete American-made IT from its tech stacks, these initiatives may present more risk than reward”.

Related Posts:

• Salt Typhoon: China’s State-Sponsored Espionage Group Infiltrates Global Telecoms for Long-Term Cyber Warfare
• Unmasking Salt Typhoon: A Report Exposes 45 New Domains from a Chinese APT Group
• FCC Takes Action to Strengthen Cybersecurity in Response to Salt Typhoon Cyberattack
• Apple Opens First US Manufacturing Academy in Detroit, Boosting Smart Factory Education & AI Integration