The **Federal Court** recently released a public version of a ruling that granted **CSIS** permission to access and neutralize foreign-run botnets embedded in Canadian infrastructure. This marks the first instance of **CSIS** deploying its threat reduction warrant powers in such a capacity, directly intervening in malicious cyber operations. The warrant, initially granted by Justice **Catherine Kane** on May 1, 2024, and renewed in August of the same year, authorized **CSIS** to alter, degrade, and destroy botnet data on infected machines and disconnect them from the malicious networks. The targets included servers, small office and home office (**SOHO**) routers, and various **IoT** devices such as **Ring** doorbells, security cameras, and smart TVs. ### Legal Precedent and Justification **CSIS** sought the court order to circumvent potential legal ramifications, as remotely accessing and wiping data from private devices would typically constitute computer mischief under the Criminal Code. The court found the threat to Canada to be clearly established and imminent, deeming the measures necessary, reasonable, and proportional. Crucially, the operation focused on devices, not individuals, with no user identities sought or content intercepted, and any incidentally collected personal data was destroyed. These botnets employed a standard relay playbook, with a command tier issuing orders and a layer of infected devices relaying traffic. By routing through compromised Canadian hardware, foreign states could mask their origins, appearing as ordinary connections while probing critical infrastructure, government, and military networks. The court specifically flagged the energy sector as a potential target, warning of the adversaries' capability to disrupt Canadian infrastructure. While the public ruling confirms the 'what' – two foreign adversaries posing a clear threat to Canada's security – the identities of these adversaries remain redacted. Media reports suggest the timing and techniques align with operations linked to China and Russia in early 2024. ### A Parallel to US Operations This Canadian initiative mirrors similar court-ordered botnet cleanups conducted in the United States. In December 2023, the **FBI** disrupted the **KV-botnet** malware from hundreds of US **SOHO** routers, primarily end-of-life **Cisco** and **NetGear** devices, which were being exploited by the China-linked **Volt Typhoon** group. Weeks later, a near-identical operation targeted a network of **Ubiquiti** routers used by Russia's **GRU** (the **APT28** group) for espionage. The key distinction lies in the authority: US operations were conducted by law enforcement (**FBI**, **DOJ**) under search-and-seizure warrants, whereas **CSIS** acted under its threat reduction powers, granted by the **National Security Act, 2017**. This power allows **CSIS** to actively disrupt threats, moving beyond mere intelligence collection. ### The Enduring Challenge of Legacy Hardware The fundamental lesson for defenders remains unchanged: these botnets thrive on unmaintained hardware. End-of-life routers, **IoT** devices lacking critical firmware updates, and systems with default credentials exposed to the internet are prime targets. While government-led cleanups remove the malware, they do not address the underlying vulnerabilities. In the US operations, the malware was removed, but the inherent weaknesses persisted. A simple reboot or factory reset could potentially undo the fix and reopen the door to reinfection. The responsibility for retiring obsolete hardware and securing remaining devices ultimately rests with the owners. One lingering question from the public ruling pertains to the collection of **IP** addresses by **CSIS** without a warrant, weeks after the **Supreme Court of Canada** ruled in **R. v. Bykovets** that an **IP** address carries a reasonable expectation of privacy. Whether this aligns with **CSIS**'s collection authorities, and if the owners of the disinfected devices were ever informed, remains undisclosed.