Canada’s intelligence service obtained court authorization to remotely access infected servers, home routers, and IoT devices located on Canadian soil and disable two foreign-operated botnets. A public version of the Federal Court ruling, released on June 15, confirms this was the first time the Canadian Security Intelligence Service (CSIS) has used its threat reduction warrant powers in this way, marking a significant expansion in how it can actively disrupt cyber operations.
The warrant authorized CSIS to alter, degrade, and delete malicious botnet components on compromised devices and disconnect them from attacker-controlled infrastructure. The affected systems included small office and home office routers, internet-facing servers, and consumer IoT devices such as security cameras, smart TVs, and connected doorbells. Issued by Justice Catherine Kane in May 2024 and later renewed, the order remained confidential for nearly two years before a redacted version was made public.
According to the ruling, the legal threshold was met because the botnets posed a clear and imminent threat to Canadian security. The court also emphasized that the operation targeted compromised machines rather than individuals, noting that CSIS did not seek user identities or intercept communications, and any incidental personal data encountered during remediation was to be destroyed. The botnets themselves followed a typical relay structure, using hijacked Canadian devices to mask foreign-origin traffic that could be used for reconnaissance against critical infrastructure, including energy systems.
While the ruling confirms involvement by two foreign adversaries, key details about attribution remain redacted, leaving it unclear whether the campaigns were linked to Russia, China, or a mix of both. The operation echoes similar U.S. court-authorized botnet takedowns carried out by the FBI in recent years, where law enforcement used malware command channels to remove infections from vulnerable consumer hardware. Unlike those efforts, however, Canada’s action was carried out under CSIS’s intelligence-focused “threat reduction” mandate, a power expanded under the National Security Act framework but previously unused at this scale.
