Canada’s Spy Agency Strengthens Cybersecurity with First-of-Its-Kind Warrant to Clean Botnet-Infected Devices

In a significant move to bolster national cybersecurity, the Canadian Security Intelligence Service (CSIS) has received judicial approval to intervene directly in infected servers, home routers, and Internet of Things (IoT) devices located within Canada. This unprecedented action aims to neutralize two foreign-operated botnets that pose a threat to the country’s infrastructure.

The Federal Court released a public version of its ruling on June 15, marking the first instance in which CSIS has employed its threat reduction warrant powers in this manner. The warrant authorized CSIS to modify, degrade, and eliminate botnet data on compromised devices, effectively severing their connections to the networks.

Judicial Approval and Operational Details

The warrant specifically targeted servers, small office and home office (SOHO) routers, and various IoT devices, including smart doorbells, security cameras, and Wi-Fi-enabled appliances. Justice Catherine Kane granted the warrant on May 1, 2024, renewed it in August, and issued the confidential reasoning behind the decision in February 2026. The warrant remained undisclosed for over two years before the recent redacted release.

CSIS required this judicial order because intervening in someone else’s device to erase data could be classified as computer mischief under the Criminal Code. Thus, judicial authorization was essential before any action could be taken.

The court determined that the threat to Canada was both clearly established and imminent. It deemed the measures taken by CSIS as necessary, reasonable, and proportional, emphasizing that the operation targeted devices rather than individuals. No user identities were sought, no content was intercepted, and any personal data inadvertently collected was destroyed.

The Botnet Threat Landscape

The two botnets operated using a standard relay structure, where a command tier issued directives, and a layer of infected devices relayed traffic. By routing through compromised Canadian hardware, foreign entities could disguise their activities as legitimate connections, potentially probing critical infrastructure, government systems, and military networks.

This situation leaves the owners of infected devices, such as smart doorbells, inadvertently responsible for traffic they did not generate. The court specifically highlighted the energy sector as a potential target, warning that adversaries could direct these botnets to probe and disrupt Canadian infrastructure.

While the public ruling clarifies the nature of the threat—two foreign adversaries posing a risk to national security—it does not disclose their identities. The timing and techniques employed suggest a specific context in early 2024. However, reports indicate that it remains unclear whether the botnets were linked to Chinese, Russian, or other state actors. The redaction of specific details obscures the full picture.

Context of International Cyber Operations

This operation aligns with a series of court-ordered botnet cleanups conducted in the United States. In December 2023, the FBI utilized the botnet’s command channel to eliminate KV-botnet malware from numerous U.S. SOHO routers, primarily older Cisco and NetGear models. These devices had been exploited by the China-linked Volt Typhoon to conceal access ahead of potential crises in American communications, energy, and transportation systems.

Shortly thereafter, the FBI executed a similar operation against a network of Ubiquiti routers that had been repurposed by Russia’s GRU, specifically the APT28 group, for espionage activities. Canada’s cyber center had previously joined allied warnings regarding state actors exploiting SOHO and IoT devices, highlighting the shared challenges faced by nations in securing consumer technology.

The key difference between the U.S. and Canadian operations lies in the authority under which the warrants were issued. The U.S. actions were conducted by law enforcement agencies, including the FBI and DOJ, operating under search-and-seizure authority. In contrast, CSIS utilized its intelligence capabilities to actively disrupt threats, a power established in the CSIS Act and revised in the National Security Act of 2017.

The Importance of Device Maintenance

This incident underscores a critical lesson for cybersecurity defenders: botnets thrive on neglected devices. Outdated routers, IoT kits lacking firmware updates, and devices with default credentials exposed to the internet are prime targets for exploitation.

While government interventions can remove malware, they do not address underlying vulnerabilities. In U.S. operations, the malware was eradicated, but the inherent weaknesses remained. A simple reboot or factory reset could reverse the cleanup, leaving the door open for reinfection. Responsibility for retiring outdated hardware and securing remaining devices ultimately rests with the owners, not the agencies conducting the cleanup.

One unresolved issue from the public ruling involves the collection of IP addresses by CSIS without a warrant. This occurred weeks after the Supreme Court of Canada ruled in R. v. Bykovets that an IP address carries a reasonable expectation of privacy. Questions remain regarding the alignment of this practice with CSIS’s collection authorities and whether the owners of the disinfected devices were informed of the actions taken.

For further details on this significant development, refer to the original reporting source: thehackernews.com.

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.