hacker Photo: VCG

China’s state security authorities recently found that a foreign intelligence agency had used domestic routers in China as “proxies” and phishing emails to target personnel at key institutions to steal sensitive data, while affected users remained unaware, experiencing only slower internet speeds, frequent disconnections and unexpected reboots, according to China's Ministry of State Security (MSS).

Investigations found that the foreign intelligence agency had taken control of multiple routers within China and used them as platforms to send phishing emails disguised as invitations to participate in review work or traffic violation payment notices, targeting staff at key institutions, the MSS disclosed on its WeChat public account on Wednesday.

Once users clicked the links and entered their passwords on fake login pages, they were tricked into re-entering credentials after being told the password was incorrect, before being redirected to legitimate-looking pages to avoid arousing suspicion. After obtaining login credentials, the attackers periodically accessed the email accounts to steal sensitive messages. 

State security authorities have since guided relevant personnel to properly secure their email accounts and carried out technical inspections of the compromised routers, with follow-up work ongoing, according to the MSS.

Investigations found that users of the affected routers were unaware that their devices had been compromised, noticing only issues such as slower internet speeds, frequent disconnections and unexpected reboots, per MSS.

In fact, the compromised routers typically shared common factors, including discontinued or outdated models, as well as improper configurations such as the continued use of weak or default administrator passwords and the enabling of high-risk functions like remote management, all of which significantly increased the risk of cyber intrusion.

The MSS reminded internet users, especially network operations personnel, to strengthen security awareness and implement proper protection measures, including using reliable devices that are still receiving security support, setting strong and regularly updated passwords for both the admin interface and Wi-Fi, keeping firmware up to date while disabling unnecessary functions such as remote management, and staying alert to abnormal behavior such as unexplained redirects, unexplained configuration changes, or unusual login activity.

 If such issues occur, the device should be disconnected, reset to factory defaults, and promptly reported through official channels, the MSS said.


Global Times