The Canadian Security Intelligence Service (CSIS) has executed a groundbreaking operation to dismantle two foreign-controlled botnets operating within Canada. This initiative marks the first use of a specific judicial warrant by CSIS to intervene directly in cyber threats affecting the nation’s infrastructure.
On June 15, the Federal Court released a public version of its ruling, detailing the authorization granted to CSIS. The warrant permitted the agency to access and neutralize malware on infected servers, home routers, and Internet of Things (IoT) devices located on Canadian soil. These devices included Ring doorbells, security cameras, smart televisions, and other Wi-Fi-enabled appliances.
Justice Catherine Kane issued the initial warrant on May 1, 2024, with a renewal in August of the same year. The confidential reasons for the decision were provided in February 2026, and the redacted version was made public this month. The court emphasized that the operation targeted devices rather than individuals, ensuring that no user identities were sought, no content was intercepted, and any incidental personal data collected was destroyed.
The botnets in question utilized a hierarchical structure, with command tiers issuing directives and layers of infected devices relaying traffic. By routing through compromised Canadian hardware, foreign entities could mask their activities, making malicious traffic appear as ordinary connections from home users or internet service provider customers. This tactic allowed adversaries to probe critical infrastructure, government, and military networks without immediate detection.
Owners of the infected devices were often unaware of their involvement, potentially facing unwarranted scrutiny for traffic they did not initiate. The court highlighted the energy sector as a particular target, warning that adversaries could use the botnets to probe and potentially disrupt Canadian infrastructure.
While the public ruling confirmed the involvement of two foreign adversaries posing a clear threat to Canada’s security, specific details about the entities remain redacted. The timing and methods of the operation align with similar actions taken in early 2024, but it is unclear whether the botnets were controlled by Chinese, Russian, or other state actors.
This operation mirrors tactics employed by the United States in combating botnets. In December 2023, the FBI utilized the botnets’ own command channels to delete malware from hundreds of U.S. small office and home office (SOHO) routers. These routers, primarily outdated Cisco and NetGear devices, had been exploited by the China-linked group Volt Typhoon to establish access within American critical infrastructure sectors, including communications, energy, water, and transportation.
Subsequently, the FBI conducted a similar operation against a network of Ubiquiti routers commandeered by Russia’s GRU-affiliated group, APT28, for espionage purposes. In both instances, the U.S. operations were conducted under law enforcement authority, with the FBI and Department of Justice acting under search-and-seizure powers.
In contrast, Canada’s approach involved its intelligence service, CSIS, utilizing a threat reduction warrant to address the cyber threats. This distinction underscores the evolving strategies nations are adopting to protect their digital landscapes from foreign cyber intrusions.
The use of such warrants by CSIS represents a significant development in Canada’s cybersecurity efforts. It demonstrates a proactive stance in neutralizing cyber threats and highlights the importance of legal frameworks that enable intelligence agencies to act decisively while safeguarding civil liberties. As cyber threats continue to evolve, the collaboration between legal authorities and intelligence services will be crucial in maintaining national security and protecting critical infrastructure.
