HOW if they do not have a physical access to the major routers?
1) Let's say you had a rootkit-like patch for a popular model of carrier-grade fiber optic switch. Now let's say that you control one or more key employees of an engineering company that installs carrier-grade networking equipment in various parts of the world. Gives it to universities for free. Operates popular chains of internet cafes.
2) Let's say you deploy large numbers of compromised TOR routers in all of your embassies and consulates. Or as a botnet.
3) Let's say you have a team of skilled malware writers that work on creating network sniffing botnets. Let's say the malware is also able to install a sniffer on several popular models of wi-fi access point, with known (and unknown) firmware issues, backdoors, or simply default passwords.
4) Let's say you have massive arrays of wi-fi and cellular antennas installed in all of your embassies and consulates, and 60 years of experience isolating and processing signals from distant enemy transmitters.
Those are four possible scenarios. I'm sure if you think about it you can come up with others.
We all know that the Internet is inherently insecure, and that software is exploitable. Given enough storage to capture everything in real time so they can apply map-reduce to it, the NSA (and presumably other spy agencies) have their work cut out for them.