Full Report
Read how two Cisco Network Academy Cup winners went from students to operators behind Salt Typhoon, a global cyber espionage campaign targeting telecoms.
Analysis Summary
# Threat Actor: Salt Typhoon Operators (Yuyang and Qiu Daibing)
## Attribution & Identity
The operators are identified as **Yuyang (余洋)** and **Qiu Daibing (邱代兵)**, who are co-owners of companies linked to the cyber espionage campaign. Their history traces back to excelling as students in the 2012 **Cisco Network Academy Cup**. Yuyang is tied to **Sichuan Zhixin Ruijie**, and both he and Qiu are linked to **Beijing Huanyu Tianqiong**. They have also filed patents together. The overall campaign is widely attributed to a **China state actor**.
## Activity Summary
Salt Typhoon, first publicly reported in September 2024, is an expansive global cyber espionage campaign primarily targeting telecommunications companies. The group successfully compromised over **80 telecommunications companies globally**, leading to an extensive intelligence collection effort. This effort included intercepting **unencrypted calls and texts** belonging to US presidential candidates, key staffers, and China experts in Washington, DC. Critically, they breached **lawful intercept (CALEA) systems** embedded within these telecom providers.
## Tactics, Techniques & Procedures
The article focuses more on the high-level impact (espionage and data interception) rather than granular technical TTPs:
- **Exploiting Telecommunications Infrastructure:** Gaining unauthorized access to core telecom systems.
- **Breaching CALEA Systems:** Compromising systems designed for lawful law enforcement interception.
- **Intelligence Collection:** Intercepting communications such as unencrypted calls and texts.
- **CVE Exploitation (Implied Context):** The title suggests a link to exploiting Cisco vulnerabilities, inferred from the hackers attaining Cisco CVEs (though specific CVEs are not detailed in the summary text).
## Targeting
- **Sectors:** Telecommunications companies (primary target).
- **Geography:** Global footprint, compromising over 80 companies worldwide.
- **Victims:** Telecommunications providers globally. Specific intelligence targets included communications between **US presidential candidates, key staffers, and China-experts in Washington, DC.**
## Tools & Infrastructure
- **Malware families used:** Not explicitly named in the provided text.
- **Infrastructure (C2, domains, IPs):** Not explicitly named or defanged in the provided text. The activity is linked to commercial entities they co-owned: Beijing Huanyu Tianqiong and Sichuan Zhixin Ruijie.
## Implications
The incident highlights a significant risk where foreign technology training initiatives (like the Cisco Network Academy) may **inadvertently boost the offensive research capabilities** of skilled individuals who later operate on behalf of a state actor. This incident underscores the potential threat emerging from the convergence of skilled technical talent nurtured in international programs and state-sponsored espionage efforts, particularly as China aims to replace American IT infrastructure ("Delete America" strategy). The breach of CALEA systems represents a profound intelligence gain.
## Mitigations
- Reviewing the risks associated with educational and training partnerships for foreign IT products within geopolitical contexts.
- Increased scrutiny of cybersecurity talent pipelines originating from training programs that may be leveraged for state-sponsored espionage.
- Defending and isolating lawful intercept systems (CALEA) given their high value as targets for intelligence collection.