Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 16 December 2025 08:13
A recent study by SentinelLabs sheds new light on the roots of the hacker group known as “Salt Typhoon ,” which carried out one of the most audacious espionage operations of the past decade.
First identified in September 2024, the attack campaign has compromised numerous networks. A recent alert reported that the hacker group has successfully infiltrated over 80 telecommunications companies worldwide.
As a result, sensitive data, including unsecured calls and text messages, was collected from prominent figures such as US presidential hopefuls and Washington insiders.
Thanks to the training gained from participating in networking competitions, the members of the group, initially simple students with a passion for Cisco networking, were able to use their skills to launch an attack and put the global telecommunications infrastructure at risk, the SentinelOne report reports .
Behind the scenes of this “geopolitical storm” are two individuals identified as Yuyang (余洋) and Qiu Daibing (邱代兵). Far from being shadowy and unknown figures, they are co-owners of companies explicitly named in the cybersecurity advisories: Beijing Huanyu Tianqiong and Sichuan Zhixin Ruijie.Person Company (Role) Qiu Daibing Beijing Huanyu Tianqiong (Shareholder 45% – Held through Sichuan Kala Benba Network Security Technology Company) Yu Yang Sichuan Zhixin Ruijie (Supervisor, Shareholder 50%)
Beijing Huanyu Tianqiong (Shareholder 55%)
The two have a long and documented history of collaboration, working closely together to “filed patents and orchestrated attacks.”
Most alarmingly, the group didn’t just intercept communications, but also compromised systems designed for law enforcement. The report notes that “even systems embedded within telecommunications companies, which facilitate the lawful interception of criminals’ communications, were breached by Salt Typhoon.”
The duo’s journey to state-sponsored hacking began not in a military bunker, but in a classroom. Thirteen years before being named in a US security advisory, Yuyang and Qiu Daibing were students at Southwest Petroleum University (SWPU) , a regional Chinese institution with “little recognition for its cybersecurity and information security programs.”
Despite their school’s modest reputation, the pair excelled. In the 2012 Cisco Network Academy Cup, representing SWPU, Yu Yang’s team placed second in Sichuan, while Qiu Daibing’s team took first place and ultimately secured third place nationally.
The report draws a poignant parallel to classic rivalries, noting that this tale of high-tech espionage “hides a story as old as time: a skilled master trains an apprentice… the apprentice usurps the master.” It compares their trajectory to famous feuds, such as “Gordon Ramsay’s feud with Marco Pierre White” and “Anakin’s rise under Obi-Wan Kenobi.”
The revelation highlights a critical vulnerability in global technology training initiatives. The Cisco Network Academy, which opened in China in 1998, trained students on the very same products— Cisco IOS and ASA Firewall—that Salt Typhoon later exploited.
Although the academy has trained over 200,000 students in China, Yuyang and Qiu’s success underscores a ” Ratatouille ” lesson for the world of cybersecurity: “Anyone can cook.” Two students at a less-regarded university have used standard corporate training to develop an offensive capability rivaling that of nation states.
The incident serves as a stark warning to Western technology companies operating in geopolitical hotspots. The report suggests that “offensive capabilities against foreign IT products likely emerge when companies begin providing local training,” inadvertently fostering foreign offensive research.
While such initiatives have driven sales for decades, the landscape has changed. As the report concludes, “As China seeks to eliminate US-made IT from its technology landscape, these initiatives may pose more risks than benefits.”
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
Redazione