CSIS First Threat Reduction Warrant Remotely Disinfected Two Foreign Botnets on Canadian SOHO Routers and IoT Devices

{"The order permitted CSIS to sever devices from command relays and destroy incidental data without identifying users or intercepting content. Court documents note the botnets used hijacked Canadian hardware to mask probes against energy sector and critical infrastructure targets, a tactic matching Volt Typhoon and APT28 relay patterns observed in 2023-2024.","Public release of the redacted February 2026 reasons followed two years of secrecy, confirming CSIS Act threat reduction measures were invoked because unauthorized device access would constitute Criminal Code mischief. This marks the first known application of post-2019 authorities for active remediation rather than passive collection.","The operation parallels December 2023 FBI actions against KV-botnet on Cisco/Netgear routers and GRU-linked Ubiquiti devices, yet shifts authority from law enforcement search warrants to intelligence disruption powers. Neglected end-of-life consumer gear remains the persistent vector, with no new technical attribution evidence distinguishing Chinese versus Russian control in the Canadian case.","Allied states now hold a tested legal template for state-directed cleanup of sovereign infrastructure without public device owner consent, likely accelerating similar filings where SOHO and IoT hardware serves as persistent access infrastructure for pre-positioned adversaries."}