Researchers tracking China-linked cyberattacks say two key operators in the advanced persistent threat group known as “Salt Typhoon” likely came through Cisco’s Networking Academy training program, where they gained skills that were later applied to a global espionage campaign targeting telecom networks. The analysis ties individuals named in U.S. government advisories to prior participation and awards in Cisco’s academy competitions, raising questions about how freely shared corporate training can be repurposed by state-linked actors to exploit the very technologies they studied. Salt Typhoon has been tied to widespread breaches of telecom infrastructure, including intrusions into U.S. networks and exfiltration of sensitive communications data, and authorities and analysts continue to reassess defensive posture and strategic repercussions in light of these findings.
Key Takeaways
– Two individuals linked to Salt Typhoon were identified as former participants in Cisco’s Networking Academy, suggesting their formal training may have informed later offensive capabilities.
– Salt Typhoon is a China-linked advanced persistent threat actor blamed for extensive telecom intrusions and espionage campaigns against U.S. and global networks.
– The connection highlights broader cybersecurity concerns about the dual-use nature of widely accessible IT education in geopolitically tense times.
In-Depth
Recent reporting and cybersecurity research have shed light on the backgrounds of individuals tied to one of the most persistent and technically sophisticated cyberespionage groups of the last several years — the China-linked advanced persistent threat actor commonly referred to as Salt Typhoon. In a surprising twist, analysts say that at least two operators who played key roles in the group’s campaigns learned foundational networking and security skills through Cisco’s globally available Networking Academy program. Documents and research shared by security firm analysts reveal that the names of these individuals appeared in training and competition records from Cisco’s student programs years before they were associated with companies later identified in U.S. government advisories as involved in Salt Typhoon activities. This discovery has sparked debate over how open corporate training on widely deployed technologies can be repurposed, inadvertently, by state-linked actors to better understand and then exploit those same technologies for offensive purposes.
Cisco’s Networking Academy was established to broaden access to IT and networking education, training hundreds of thousands of students worldwide in essential skills for building and securing network infrastructure. For many participants, this training leads to legitimate careers in IT support, network administration, or cybersecurity defense. But in this case, researchers argue that two alumni of the program, after participating in competitive Cisco Academy events during their university years, went on to co-found firms that were later named in U.S. cybersecurity notices tied to Salt Typhoon’s global cyber-espionage operations. Analysts stress that the odds of mere coincidence — two individuals with the same names and backgrounds converging in the same program and geopolitical threat context — are extremely low, and the circumstantial evidence strongly supports the assessment that they are one and the same. Once these individuals entered the professional world, they allegedly leveraged the technical insights—particularly around Cisco’s IOS and firewall products—that they first encountered in training to inform the development of offensive tools and strategies used in Salt Typhoon’s campaigns.
Salt Typhoon itself has drawn significant attention from both private cybersecurity firms and government entities for its aggressive targeting of global telecommunications infrastructure. The group has been implicated in breaching major backbone networks, gaining prolonged, stealthy access to routers and edge devices, and exfiltrating sensitive data including communications metadata. In some instances, investigators believe that Salt Typhoon accessed unencrypted call and text data from networks serving high-profile political and corporate figures. These breaches have raised alarms about the security of critical infrastructure and the adequacy of current defensive measures across both private and public sectors.
The potential involvement of formally trained network specialists in offensive cyber operations underscores a broader dilemma in cyber defense policy: the same knowledge that underpins secure configuration and protection of systems can also empower adversaries once they adopt a malicious mission. This dual-use tension has prompted calls for more robust safeguards around shared training, broader cooperation on defensive best practices, and increased scrutiny of how educational programs intersect with national security concerns, particularly as geopolitical tensions between major powers continue to shape the cyber landscape. At the same time, Cisco and other vendors emphasize that their training programs are foundational and open to a wide range of participants, and that responsibility for misuse lies with actors who choose to apply skills illegally. The episode illustrates the evolving balance between open technological education and the realities of cyber conflict in an interconnected world.