Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
To try to determine whether the repetition of these names was a coincidence, Carey examined two databases of Chinese names and consulted with Yi Fuxian, a professor of Chinese demography at the University of Wisconsin-Madison. He says the name Qiu Daiping – or 邱代兵 in Chinese characters – turned out to be a relatively unlikely name to appear twice by chance. Yi confirmed to WIRED that the surname 邱 alone represents only 0.27 percent of Chinese names, and in combination with the given name 代兵 would represent a much smaller percentage.
The name Yu Yang (余洋 in Chinese characters) is more common. But the two names that appear in the connection seem unlikely to be a coincidence, as Carey assumes. “The absolute possibility of someone with that name also being paired with Yu Yang, having that skill set and going to the same university in the same location where these companies are registered, it’s just a very slim chance that these are not the right people,” Carey says.
WIRED attempted to contact Qiu Daibing and Yu Yang via Qiu Daibing’s LinkedIn page and an email address on Beijing Huanyu Tianqiong’s website, but received no response.
If Carey’s theory that the two men linked to Salt Typhoon were actually trained at Cisco’s networking academy is correct, it does not represent a flaw or security oversight in Cisco’s software, he says. Instead, it points to a problem that is difficult to avoid in a globalized market where technology products — and even training on the technical details of those products — are widely available, including to potential hacking adversaries.
However, Curry sees this issue becoming more pronounced, as China has tried for years to replace Cisco equipment and other Western devices in its own networks with domestic alternatives. “If China is moving in the direction of actually removing these products from Chinese networks,” Carey asks, “who would still be interested in learning more about them?”
At the same time, China has increasingly restricted information sharing with the global cybersecurity community, notes John Hultquist, a senior analyst at Google’s Threat Intelligence Group, for example, by pressuring security researchers not to present findings at international conferences.
“It’s as if we’re in a sharing group, and they tell us right to our faces that they’re not going to reciprocate,” Hultquist says. “We benefit them with our programs. But it doesn’t work the other way.”