PostHole
Compose Login
You are browsing us.zone2 in read-only mode. Log in to participate.
rss-bridge 2025-12-10T16:55:08+00:00

Malicious Apprentice | How Two Hackers Went From Cisco Academy to Cisco CVEs

Read how two Cisco Network Academy Cup winners went from students to operators behind Salt Typhoon, a global cyber espionage campaign targeting telecoms.

Security & Intelligence

Malicious Apprentice | How Two Hackers Went From Cisco Academy to Cisco CVEs

Dakota Cary

December 10, 2025

Executive Summary

  • Salt Typhoon, first reported in September 2024, compromised over 80 telecommunications companies globally, facilitating an expansive intelligence collection effort that included intercepting unencrypted calls and texts, and breaching lawful intercept (CALEA) systems.
  • The operation is tied to Yuyang (余洋) and Qiu Daibing (邱代兵), co-owners of companies named in the cybersecurity advisory and who worked closely to file patents and orchestrate the attacks.
  • The hackers’ history traces back to the 2012 Cisco Network Academy Cup, where they excelled as students from a poorly-regarded university.
  • The episode suggests that offensive capabilities against foreign IT products likely emerge when companies begin supplying local training and that there is a potential risk of such education initiatives inadvertently boosting foreign offensive research.
  • In markets where foreign firms are given a fair shake at competition these initiatives still make sense. As China seeks to delete American-made IT from its tech stacks, these initiatives may present more risk than reward.

First publicly reported in September 2024, Salt Typhoon’s campaign is now known to have penetrated more than 80 telecommunications companies globally. The group’s campaign collected unencrypted calls and texts between US presidential candidates, key staffers, and many China-experts in Washington, DC.

However, Salt Typhoon’s collection activity went beyond those intercepts. Systems embedded in telecommunications companies for CALEA, which facilitates lawful intercept of criminals’ communications, were also breached by Salt Typhoon. A recent Joint Cybersecurity Advisory published by the U.S. and more than 30 allies sheds light on how Salt Typhoon came to penetrate global telecommunications infrastructure.

All of that high-tech novelty disguises a tale as old as time: skilled master trains apprentice, apprentice masters skills with tutelage, apprentice usurps the master owing to some core ideological difference between the two that festers over time. Gordon Ramsay’s feud with Marco Pierre White, Anakin’s rise under Obi-wan Kenobi, and Mao Zedong’s study of communism under Chen Duxiu all fit the mold.

This report adds Yuyang (余洋) and Qiu Daibing’s (邱代兵) and their history with the Cisco Networking Academy to the list of master-apprentice turned rivals narrative arc.

From Students to Operators

Qiu Daibing and Yuyang appear in various reports on companies named in the Salt Typhoon cybersecurity advisory. Both Qiu and Yu are co-owners of Beijing Huanyu Tianqiong, and Yu is also tied to another Salt Typhoon connected company, Sichuan Zhixin Ruijie. Qiu and Yu worked closely, filing patents together for work done at Beijing Huanyu Tianqiong.

Through their work at these firms, they hacked more than 80 telecommunications companies, facilitating one of the most expansive intelligence collection efforts of the last decade.

********

PersonCompany (Role)
Qiu DaibingBeijing Huanyu Tianqiong (Shareholder 45% – Held through Sichuan Kala Benba Network Security Technology Company)

| Yu Yang | Sichuan Zhixin Ruijie (Supervisor, Shareholder 50%)
Beijing Huanyu Tianqiong (Shareholder 55%) |

Qiu and Yu’s personal history extends back at least 13 years before their companies would be named in the Cybersecurity Advisory.

In 2012, the same names–Qiu Daibing and Yu Yang–appeared on different teams in the Cisco Network Academy Cup both representing their school, Southwest Petroleum University. Yu Yang’s team would win second place in Sichuan. Qiu Daibing’s team took first prize and eventually won third place nationally.

[List of Cisco Network Academy Cup winners from Southwest Petroleum University]

List of Cisco Network Academy Cup winners from Southwest Petroleum University

The data suggests this is not just some weird name collision and a case of mistaken identity. A database of 1.2 billion Chinese last names from 1930 to 2008 compiled by Bruce H.W.S.Bao at East China Normal University finds the last name “Qiu” (邱) is used by 0.27% of China’s population.

A second database of 30,282,623 first names from 1920-2019 shows a frequency of the first name “Daibing” (代兵) at a rate of 0.000845%. In other words, there are approximately 3,194 “Qiu Daibings” in China, or 0.000228% of the population. Yu Yang is a much more common name, so is less useful for trying to de-duplicate these characters.

[Qiu Daibing's LinkedIn profile]

Qiu Daibing’s LinkedIn profile

Qiu Daibing helpfully created a LinkedIn account. His education confirms that this person is the same Qiu Daibing who won the Cisco Network Cup competition as a SWPU student in 2012. But his employer is listed as Ruijie Network Company, not Sichuan Zhixin Ruijie. Why?

Qiu likely selected this much larger, well-known networking company in China with a partial name match simply because Sichuan Zhixin Ruijie is not a verified employer on LinkedIn. Although Qiu Daibing is not listed in corporate records as a shareholder of Sichuan Zhixin Ruijie, that absence of evidence does not preclude him from having been an employee at his friend Yu Yang’s company.

Alternatively, it is far less likely that two people with the same name, in the same province, in the same line of work, work at companies which have a partial name match. The odds of that happening? Even less than 0.000228%.

[...]

Original source

📄 CN115065529B.pdf

📄 2012hj.pdf

Reply