- For the first time, CSIS used its legal “threat reduction” powers to disrupt foreign state-run botnets residing on infected Canadian devices.
- The Federal Court authorized the spy service to remotely alter and destroy malware on domestic servers, routers, and IoT gear, citing an imminent security threat.
- While the public ruling confirms the operation, critical details like the specific foreign adversaries involved remain redacted from the document.
- The cleanup tactic mirrors recent U.S. FBI operations but is conducted under a different legal authority focused on threat disruption rather than criminal investigation.
- The incident highlights the persistent security risk posed by neglected, end-of-life consumer networking equipment and Internet of Things devices.
Canada’s spy service, CSIS, secretly received judicial permission in May 2024 to neutralize two foreign-state-controlled botnets operating from infected devices on Canadian soil, according to a Federal Court ruling released this month. This unprecedented action targeted compromised home routers, servers, and consumer IoT gear like Ring doorbells and smart TVs being used to mask malicious network traffic.
The threat to Canada’s security was found to be clearly established and imminent by Justice Catherine Kane. Consequently, the warrant allowed CSIS to lawfully alter, degrade, and destroy botnet data on these devices, which would otherwise constitute a crime under the Criminal Code.
Justice Kane stressed the operation targeted only devices, not people. No user identities were sought, no content was intercepted, and any incidentally collected personal data was destroyed.
The botnets followed a standard relay playbook, using hijacked Canadian hardware to probe critical infrastructure, government, and military networks. This tactic makes malicious traffic appear as ordinary connections from residential or business IP addresses.
The court specifically flagged the energy sector as a target and warned that adversaries could use the botnets to probe and potentially disrupt Canadian infrastructure. This left the unsuspecting owners of infected devices appearing responsible for traffic they never sent.
While the public version of the ruling confirms the “what,” it redacts the “who.” The timing and technique align with a series of U.S. court-ordered botnet cleanups in late 2023 and early 2024 targeting Chinese and Russian state actors. However, as The Bureau reported, the specific nationalities behind Canada’s two botnets remain unclear from the document.
This operation represents a novel use of CSIS‘s threat reduction measures, powers reworked in the National Security Act, 2017. The distinction from similar U.S. operations is key: the FBI acts under law enforcement search-and-seizure authority, while CSIS used an intelligence mandate to disrupt a threat.
The underlying vulnerability, however, remains unchanged. These botnets thrive on end-of-life routers, unpatched IoT devices, and equipment with default credentials exposed to the internet. A government-ordered cleanup removes the malware but does not fix these root weaknesses, leaving devices open to reinfection.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
