To try to determine the probability of those name repetitions being a coincidence, Cary checked two databases of Chinese names and consulted with Yi Fuxian, a professor of Chinese demography at the University of Wisconsin–Madison. The name Qiu Daibing—or 邱代兵 in Chinese characters—turned out to be a relatively unlikely name to show up twice just by chance, he says. The surname 邱 alone, Yi confirmed to WIRED, represents just 0.27 percent of Chinese names, and in combination with the specific 代兵 given name would represent a far smaller percentage.
The name Yu Yang (余洋 in Chinese characters) is more common. But the two names appearing in association seems less likely to be a coincidence, Cary theorizes. “The sheer improbability of somebody having this name also being paired with a Yu Yang, having this skill set and going to the same university in the same location where these companies are registered, it’s just an incredibly small chance that these are not the right people,” Cary argues.
WIRED attempted to contact Qiu Daibing and Yu Yang via both Qiu Daibing’s LinkedIn page and an email address on the website of Beijing Huanyu Tianqiong but received no response.
If Cary’s theory that two men linked to Salt Typhoon were in fact trained in Cisco’s Networking Academy is correct, it doesn’t represent a flaw or security oversight in Cisco’s program, he says. Instead, it points to a tough-to-avoid issue in a globalized market where technology products—and even training in the technical details of those products—are widely available, including to potential hacking adversaries.
Cary argues that the issue has only become more glaring, however, as China has tried for years to replace Cisco equipment and other Western devices in its own networks with domestic alternatives. “If China is moving in the direction of actually removing these products from Chinese networks,” Cary asks, “who’s still interested in learning about them?”
China has, meanwhile, increasingly restricted its own information-sharing with the global cybersecurity community, points out John Hultquist, chief analyst at Google’s Threat Intelligence Group, for instance, by pressuring security researchers not to present findings at international conferences.
“It’s like we’re in a sharing group, and they’ve told us straight to our face that they’re not going to reciprocate,” Hultquist says. “We’re benefiting them with our programs. But it’s not going in the other direction.”
