From Cisco Trainees to Cyber Adversaries: The Rise of Salt Typhoon
In a striking turn of events, two Chinese nationals, Yuyang and Qiu Daibing, have transitioned from being top performers in Cisco’s Network Academy to leading sophisticated cyber-attacks against Cisco devices. Their journey from students to state-sponsored hackers underscores the complex challenges in global cybersecurity.
Educational Background and Early Achievements
In 2012, while studying at Southwest Petroleum University in China, Yuyang and Qiu participated in the Cisco Network Academy Cup. Despite the university’s modest reputation in cybersecurity education, both showcased exceptional talent. Qiu’s team secured third place nationally, while Yuyang’s team achieved second place in Sichuan province. Their curriculum included in-depth training on Cisco IOS and ASA Firewalls, providing them with a robust foundation in network security.
The Emergence of Salt Typhoon
By 2024, Yuyang and Qiu had become co-owners of companies implicated in the Salt Typhoon cyber-espionage campaign. This operation, as detailed in a Joint Cybersecurity Advisory by the United States and over 30 allied nations, compromised more than 80 telecommunications companies worldwide. The campaign’s reach was extensive, intercepting unencrypted communications between U.S. presidential candidates, key staffers, and China policy experts. Notably, the hackers also infiltrated CALEA systems, which are used by telecommunications companies for lawful interception of criminal communications.
Technical Exploitation and Methodologies
Salt Typhoon’s success can be attributed to their exploitation of specific vulnerabilities in Cisco devices. They targeted privilege escalation flaws in Cisco IOS XE software, notably CVE-2023-20198 and CVE-2023-20273. These vulnerabilities allowed attackers to gain initial access via the web user interface and escalate privileges to root-level access. Once compromised, the attackers reconfigured devices to establish Generic Routing Encapsulation (GRE) tunnels, enabling persistent access and covert data exfiltration. The use of GRE tunneling allowed them to bypass firewalls and intrusion detection systems, maintaining stealthy communication channels between compromised devices and their command-and-control infrastructure.
Targeted Organizations and Global Impact
The campaign primarily targeted telecommunications providers and universities across multiple countries. Key victims included a U.S.-based affiliate of a U.K. telecom provider, a South African telecommunications company, and ISPs in Italy and Thailand. Universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, Vietnam, and the U.S., including UCLA and TU Delft, were also affected. These targets were likely chosen for their association with cutting-edge research in telecommunications, engineering, and technology. More than half of the targeted devices were located in the U.S., South America, and India. Researchers identified over 12,000 exposed Cisco devices globally but noted that Salt Typhoon’s campaign was highly selective, focusing on approximately 8% of these devices.
Strategic Intelligence Objectives
Salt Typhoon’s activities extend beyond technical exploitation to strategic intelligence objectives. Persistent access to telecommunications networks enables state-backed actors to monitor communications, disrupt services, and manipulate data flows. The group’s focus on lawful intercept systems and high-profile U.S. political figures underscores its intent to exploit vulnerabilities for national security threats.
Mitigation Measures and Industry Response
To counter such threats, organizations must adopt proactive cybersecurity measures:
– Apply updates for vulnerabilities like CVE-2023-20198 and CVE-2023-20273 immediately.
– Restrict exposure of web UIs on public-facing devices.
– Detect unauthorized configuration changes or GRE tunnel activity.
– Use end-to-end encryption for sensitive communications.
Government agencies like CISA and the FBI have emphasized the importance of encrypted messaging applications to mitigate eavesdropping risks. The U.S. Treasury Department recently sanctioned Sichuan Juxinhe Network Technology Co., Ltd., a Chinese contractor linked to Salt Typhoon’s activities. While this marks a strong stance against state-sponsored cyber espionage, experts stress that international collaboration is essential for combating such persistent threats effectively.
Broader Implications and Lessons Learned
This case highlights several critical security concerns. First, it demonstrates that offensive capabilities against foreign IT products can emerge when companies provide local training programs. Second, it raises questions about the unintended consequences of corporate education initiatives in markets marked by geopolitical tensions. As China pursues its Delete America strategy to remove Western technology from its infrastructure, security experts warn that such training programs may present more risk than reward, potentially creating tomorrow’s adversaries from today’s students.
