What Happened
Canada’s Federal Court has publicly released a redacted version of a warrant it granted to the Canadian Security Intelligence Service (CSIS) authorizing the agency to reach into infected servers, home routers, and consumer IoT devices across Canada and neutralize two foreign-run botnets. The ruling, issued by Justice Catherine Kane, was originally granted in May 2024 and renewed in August of the same year. The court kept it confidential until a redacted version was released on June 15, 2026.
This is the first time CSIS has used the threat reduction warrant powers Parliament granted it in 2015 to take direct action against malware infrastructure on Canadian soil. Without the warrant, the cleanup operation — altering, degrading, or destroying data on devices CSIS does not own — would constitute computer mischief under the Criminal Code.
The botnets targeted Canada-based servers, small office and home office routers, and consumer IoT devices: Ring doorbells, security cameras, smart televisions, and Wi-Fi-enabled appliances. CSIS assessed the botnets as likely linked to a foreign state actor, with reporting indicating China as the assessed origin. The agency was authorized to sever the infected devices from the botnet networks entirely. The Hacker News
Why This Matters for Canadian Organizations
The CSIS action establishes a legal and operational precedent that reaches well beyond the specific botnets involved. Several things follow from this ruling that Canadian security teams should understand.
First, compromised consumer and small office devices inside Canadian homes and businesses are being treated as active national security infrastructure by foreign adversaries. Botnets built from routers, cameras, and televisions are not only nuisances — they are assessed as tools of foreign state-linked operations. Canadian organizations with employees working remotely on home networks face residual exposure from exactly this class of device.
Second, the warrant confirms CSIS is operating in domestic cyberspace in ways that were not publicly acknowledged before. The Canadian Centre for Cyber Security (CCCS) has issued repeated advisories about state-linked botnet infrastructure; this ruling shows those advisories correspond to active intelligence operations. Organizations subject to Bill C-26 — Canada’s Critical Cyber Systems Protection Act — and those operating in sectors identified as vital services should treat state-linked botnet activity as a credible threat requiring active network monitoring, not just perimeter defence.
Third, the geographic and device scope of this operation reflects a broader trend CSIS and Five Eyes partners have flagged repeatedly: edge devices and consumer IoT are the preferred entry point for state-linked persistent access networks. Canadian organizations operating operational technology, industrial control systems, or facilities with IoT-connected infrastructure should review whether any such devices are reachable from the internet and whether default credentials have been changed.
What to Do
Review your network perimeter for end-of-life routers, cameras, or IoT devices with internet-facing interfaces. Apply firmware updates on any device that remains supported. Segment IoT devices from corporate and sensitive networks using VLANs or dedicated network zones. Remote employees connecting from home networks introduce risk from consumer devices outside your control — endpoint detection on corporate laptops and mandatory VPN routing for sensitive access reduces but does not eliminate this exposure. Consult the CCCS advisory library for current guidance on state-linked botnet indicators relevant to Canadian infrastructure.
