CSIS Obtains First-of-Its-Kind Warrant to Remotely Clean Botnet-Infected Devices on Canadian Soil
Canada's spy agency, CSIS, secured a novel threat reduction warrant to remotely disinfect servers, home routers, and IoT devices infected by two foreign-run botnets, marking a legal and operational first for domestic cyber defense.
Canada's spy service, the Canadian Security Intelligence Service (CSIS), obtained a judge's permission to reach into infected servers, home routers, and IoT gear sitting on Canadian soil and neutralize two foreign-run botnets. The Federal Court released a public version of the ruling on June 15, revealing the first time CSIS has used its threat reduction warrant powers in this manner.
The warrant, granted by Justice Catherine Kane on May 1, 2024, and renewed that August, allowed CSIS to alter, degrade, and destroy botnet data on the infected machines and cut the devices loose from the networks. The targets included Canada-based servers, small office and home office (SOHO) routers, and Internet of Things devices such as Ring doorbells, security cameras, TVs, and other Wi-Fi-enabled appliances. The court found the threat to Canada clearly established and imminent, and the measures necessary, reasonable, and proportional.
CSIS needed the order because the cleanup would likely have been a crime without it. Reaching into someone else's device and wiping data is computer mischief under the Criminal Code, so the Service needed a judge's sign-off before touching the machines. The court stressed the operation went after devices, not people: no user identities sought, no content intercepted, any personal data swept up incidentally destroyed.
The two botnets ran the standard relay playbook. A command tier issued the orders; a layer of infected devices relayed the traffic. By routing through hijacked Canadian hardware, a foreign state can look like an ordinary connection, a home worker, or an ISP customer, while it probes critical infrastructure, government, and military networks. The court flagged the energy sector among the targets and warned that the adversaries could direct the botnets to probe and potentially disrupt Canadian infrastructure.
The public ruling settles the what: two foreign adversaries, a threat to Canada's security, the court found clearly made out. What it strips is the who. The timing and the technique match a specific moment in early 2024, but The Bureau, which surfaced the ruling, says it cannot tell from the redacted reasons whether Canada's two botnets were both Chinese, both Russian, or one of each. The foreign-state hand is a finding. The flag is the redaction.
This operation mirrors similar court-ordered botnet cleanups in the United States. In a December 2023 operation, the FBI used the botnet's own command channel to delete the KV-botnet malware from hundreds of U.S. SOHO routers, mostly end-of-life Cisco and NetGear boxes that the China-linked Volt Typhoon was using to hide access. Weeks later, it ran a near-identical operation against a separate network of Ubiquiti routers that Russia's GRU, the APT28 group, had turned into an espionage relay. The difference is who holds the warrant: U.S. operations were law enforcement under search-and-seizure authority, while Canada's is an intelligence service using threat reduction measures written into the CSIS Act and reworked in the National Security Act, 2017.
The lesson for defenders is the boring one. The botnets feed on the gear nobody maintains: end-of-life routers still wired into the network, IoT kits that never took their last firmware update, anything sitting on default credentials with a management panel facing the internet. A government cleanup does not touch that. In the U.S. operations, the malware came off, but the weaknesses stayed, and a reboot or factory reset could undo the fix and reopen the door to reinfection. Retiring the dead hardware and locking down what stays is on the owner, not the agency that cleaned up after them.