On August 27, 2025, a coalition of cybersecurity agencies from the U.S., UK, EU, Canada, Japan, Australia, and others issued a blunt warning: Chinese state hackers aren’t just stealing data—they’re hijacking the internet itself.
The joint advisory names Beijing’s cyber units (Salt Typhoon, Operator Panda, RedMike, UNC5807, GhostEmperor) and exposes how they are compromising routers and backbone infrastructure worldwide. These aren’t isolated corporate breaches. They span telecommunications, government systems, transport, hotels, and even military networks.
How They Operate
China’s hackers don’t need exotic zero-days. They exploit lazy patching and old vulnerabilities in systems like Cisco, Ivanti, and Palo Alto. Once in, they entrench themselves:
- Planting hidden admin accounts to guarantee control.
- Abusing Cisco’s Guest Shell to run their own malware inside the device.
- Running rogue SSH services on obscure ports to stay invisible.
- Building covert GRE/IPsec tunnels to siphon traffic out of the network.
- Deploying custom espionage tools—like a Golang-built SFTP client for efficient data theft.
This isn’t smash-and-grab cybercrime. It’s occupation of infrastructure—designed for long-term espionage and mass surveillance.
Case Study: The Smoking Gun
One case pulled from the advisory shows the scale of the threat. At a major international organization, Chinese APTs hijacked Cisco routers and turned them into surveillance nodes.
- Network traffic was mirrored and siphoned off.
- Credentials were harvested in bulk.
- Data was funneled through covert tunnels directly into Beijing’s hands.
In effect, the routers themselves were conscripted into China’s global spy network.
Why It Matters
Routers are not endpoints—they are the arteries of the internet. By controlling them, Beijing doesn’t just see a single target—it gains visibility into everything passing through: emails, calls, sensitive documents, even encrypted flows if paired with other attacks.
This is not hacking at the edges. It is systematic infiltration of the internet’s circulatory system. It is surveillance at scale, an espionage machine hidden in plain sight.
What Defenders Must Do
The advisory demands action, not complacency:
- Patch or be owned. Every unpatched router is an open door to Beijing.
- Hunt relentlessly for rogue accounts, hidden tunnels, and strange SSH ports.
- Audit configs constantly—look for the fingerprints of compromise.
- Shut down weak protocols and enforce hardened standards.
The Bottom Line
This isn’t just a cybersecurity bulletin—it’s a geopolitical alarm bell. The Chinese Communist Party is no longer content with stealing corporate secrets or military blueprints. It is embedding itself into the infrastructure of global communications, giving Beijing a permanent listening post inside nations, industries, and militaries worldwide.
