Cybergangs repeatedly infiltrating the NBR server with ease

On May 20, 2024, Chattogram Custom House Deputy Commissioner Mohammad Zakaria was in Kolkata for medical treatment. That evening, at 11:33 PM, the NBR server, known as the Automated System for Customs Data (ASYCUDA), was accessed using Zakaria's ID and password. Just 30 minutes later, the intruder logged in again and completed customs procedures to release a container of foreign cigarettes valued at Tk 6 crore, fraudulently declared. Investigators described the breach as a sophisticated cyberattack.

The perpetrator not only acquired Zakaria's ID and password but also bypassed two advanced security layers, including the mandatory OTP sent to the user's mobile phone. Despite this, Zakaria reported receiving no OTP during the incident. Furthermore, ASYCUDA's device- and IP-specific protocols were circumvented, as records show Zakaria's credentials were used from a different device and IP address located in Bhandaria, Pirojpur.

Though customs officials intercepted the shipment, the incident underscores a severe security gap. NBR officials labeled it a “serious national security threat,” highlighting the potential for unchecked import/export of goods.

Widespread Breaches and Organised Cybergangs

This incident is part of a broader trend. Between January 2019 and September 2024, cybergangs reportedly breached the NBR server multiple times, manipulating customs processes to launder money through 3,000 fraudulent consignments and illegally release 48 shipments. These shipments were often undervalued or misdeclared; investigations revealed contents worth Tk 124 crore in seized consignments valued at only Tk 1.26 crore.

Investigations show that gang members accessed the system using IDs and passwords of at least 27 customs officials, including those retired or deceased. Most breaches remain unresolved.

Recent Developments and Arrests

In a recent breakthrough, customs investigators identified four individuals, including Sheikh Shezan, a 23-year-old from Narail, as key suspects. Shezan, previously arrested for breaching other government servers, allegedly accessed ASYCUDA using mobile internet linked to his NID.

Customs documents revealed another breach on January 14, 2024, involving Revenue Officer Sonia Sarkar Liza’s credentials. The intruders accessed the server from her office at night, bypassing OTP protocols, to release shipments, including 12 lakh liters of liquor worth Tk 14 crore.

Systemic Weaknesses

Customs officials and IT experts point to systemic vulnerabilities. The ASYCUDA system is designed to prevent unauthorized access through IP and device-specific protocols and OTP-based authentication. However, insiders suspect deliberate manipulation, as the system’s security layers appear to have been relaxed during breaches.

NBR Programmer Golam Sarwar, responsible for managing access and generating user IDs, declined to comment on the lapses. Meanwhile, NBR officials acknowledged that despite a Tk 300 crore investment in security enhancements, the system remains compromised.

NBR Member (Customs Policy) Hossain Ahmed admitted flaws in the system and pledged to identify culprits, even among their own ranks. A seven-member committee has been formed to investigate the breaches.

As the investigation unfolds, the incidents raise serious concerns about the integrity of the customs process and the protection of Bangladesh’s import-export data.