China-Linked JDY Botnet Hijacks 1,500+ Devices — Cyber Insurance Costs Are Rising

A China-linked hacking operation has commandeered more than 1,500 devices across multiple regions, using the network to conduct wide-ranging cyber recon…

A China-linked hacking operation has commandeered more than 1,500 devices across multiple regions, using the network to conduct wide-ranging cyber reconnaissance against governments, corporations, and critical infrastructure, according to researchers at cybersecurity firm Lumen. The campaign, attributed to a threat actor tracked under the name JDY, marks a significant escalation in state-sponsored digital espionage activities targeting the Asia-Pacific region and beyond.

The botnet operates by infiltrating routers, firewalls, and internet-of-things devices, transforming them into covert surveillance tools that silently harvest data and map network vulnerabilities. Security analysts warn that the scale of the operation places it among the most extensive cyber-espionage campaigns documented this year, raising serious questions about the adequacy of existing corporate cybersecurity protocols.

Scale and Sophistication of the JDY Operation

China-Linked JDY Botnet Hijacks 1,500+ Devices — Cyber Insurance Costs Are Rising — Technology Innovation — Technology & Innovation · China-Linked JDY Botnet Hijacks 1,500+ Devices — Cyber Insurance Costs Are Rising

Lumen's threat intelligence division first identified the JDY botnet in early 2023, tracking its gradual expansion from a handful of compromised devices to a network now spanning at least 1,500 endpoints. Researchers confirmed the operation leverages compromised networking equipment from multiple manufacturers, allowing the group to maintain persistence within victim networks while evading detection by traditional security tools.

The botnet's primary function appears to be intelligence gathering rather than disruptive attacks. Infected devices transmit reconnaissance data—including network configurations, authentication credentials, and communication patterns—to command-and-control servers operated by the threat actors. Lumen's analysis suggests the operation prioritises targets in sectors including telecommunications, energy, and advanced manufacturing.

Attribution to Chinese Threat Actors

Implications for Corporate Cybersecurity Spending

The emergence of a botnet of this magnitude is already influencing how companies allocate their security budgets. Enterprise firms that previously relied on basic firewall protection and endpoint antivirus software are now being forced to reconsider their defensive postures. Premium pricing for cyber insurance policies covering state-sponsored attacks has increased by an estimated 25 to 40 percent in the past twelve months, according to brokers operating in Singapore and Hong Kong.

Insurance actuaries are particularly concerned about the aggregation risk posed by botnets like JDY. A single sophisticated threat actor can simultaneously activate thousands of compromised devices to conduct simultaneous intrusions against multiple policyholders, creating correlated losses that could overwhelm insurers' reserves. Several major cyber insurers have quietly introduced sub-limits for attacks attributed to nation-state actors, a move that shifts significant financial exposure back to corporate policyholders.

Supply Chain Vulnerabilities Under Scrutiny

The JDY campaign exploits a fundamental weakness in enterprise security: the reliance on networked devices that receive minimal attention after deployment. Many of the compromised devices identified by Lumen operated for years without firmware updates or security patches, creating a vast attack surface that threat actors can harvest at will.

Corporate boards are increasingly asking whether their organisations have accurate inventories of connected devices. The answer, in many cases, is no. Network management tools typically track servers and workstations, leaving routers, switches, and IoT sensors unmonitored. This visibility gap allows botnets to establish deep footholds before detection occurs. The average time from initial compromise to discovery in such campaigns exceeds 200 days, according to incident response data compiled by Lumen.

Government Response and Regulatory Pressure

Authorities in several Asia-Pacific jurisdictions have begun issuing advisories warning organisations about the JDY botnet. The Singapore Cybersecurity Agency published guidance recommending immediate network segmentation reviews and mandatory credential rotation for all networked infrastructure devices. Similar warnings emerged from Australian and Japanese cybersecurity centres, reflecting regional concern about the campaign's reach.

Regulatory scrutiny is intensifying alongside advisory warnings. Proposed legislation in Singapore would require critical infrastructure operators to maintain continuous monitoring of all networked devices and report compromises within 24 hours. Corporate officers who fail to meet these standards could face personal liability, a provision that has sharply focused executive attention on cybersecurity governance.

Market Consequences for Technology Vendors

The botnet's success in exploiting networking equipment has created both winners and losers in the technology market. Shares of companies specialising in network detection and response rose following the Lumen disclosure, as investors anticipate increased demand for more sophisticated monitoring tools. Conversely, manufacturers of budget networking equipment face reputational damage and potential liability claims from customers whose devices were co-opted into the botnet.

Channel partners report accelerating interest in managed detection and response services from small and medium enterprises that lack internal security expertise. Monthly recurring revenue from these services has grown by approximately 18 percent year-over-year across the Southeast Asian market, according to industry data. This trend benefits managed security providers but squeezes smaller businesses that must now allocate resources to cybersecurity or risk becoming the next JDY target.

What Organizations Should Do Next

Security teams should immediately audit their network device inventories, prioritising routers, firewalls, and IoT sensors that have not received firmware updates in the past six months. Any device running end-of-life software should be isolated from production networks and replaced. Credential rotation for administrative accounts on networking equipment should be treated as an urgent priority rather than a routine maintenance task.

Organisations that discover evidence of compromise should engage incident response specialists rather than attempting remediation independently. The command-and-control techniques employed by JDY require specialised forensic tools to fully eradicate. Partial remediation can alert threat actors and cause them to adapt their infrastructure, making subsequent detection significantly more difficult.

Watch for updated advisories from national cybersecurity agencies expected over the coming weeks. Lumen has indicated it will publish additional technical indicators of compromise that security teams can use to scan their environments. The next phase of this campaign may expand beyond reconnaissance to include more aggressive data exfiltration or pre-positioning for future disruptive operations—making immediate action essential for any organisation with Asia-Pacific exposure or strategic significance.