Cyber Criminals Exploit Customs Server: A Security Breach Revealed
On May 20, Mohammed Zakaria, a Deputy Commissioner at Chattogram Customs House, was undergoing medical treatment in Kolkata. That same night, at 11:33 PM, someone used his ID and password to access the National Board of Revenue’s (NBR) automated customs system, ASYCUDA.
Approximately 30 minutes later, the intruder logged in again and processed customs clearance for foreign cigarettes worth approximately 60 million BDT using fake declarations.
Customs investigators believe this was a highly sophisticated breach. The perpetrator not only gained access to Zakaria’s ID and password but also bypassed two additional layers of security, including an OTP (One-Time Password) sent exclusively to the user’s registered mobile device. Notably, Zakaria reported that he did not receive any OTP during this time, as confirmed by the system logs.
Further investigation revealed that the server was accessed from an unauthorized device and IP address located in the Vandaria Upazila of Pirojpur district. Despite suspending the clearance of illegal cigarettes imported under Hamco’s name, the incident has left Customs and NBR officials deeply concerned.
A Threat to National Security
Officials view the breach as a “serious threat to national security.” Unauthorized access to such systems could enable tax evasion and the illegal import/export of goods.
To address the matter, NBR formed a seven-member investigative committee on October 22. Hamco has denied any involvement, stating that their name may have been misused.
System Vulnerabilities
Cybersecurity expert Mohammad Azhar Uddin explained that unauthorized IP access can harm server integrity. He emphasized that the failure to generate an OTP at the critical time suggests possible insider involvement. “A thorough server audit is essential to determine the extent of the breach and apprehend the culprits,” he noted.
An initial investigation led by Chattogram Customs Commissioner Mohammad Faizur Rahman identified four individuals, including the prime suspect, Sheikh Shezan (23), from Narail. Known for prior cybercrimes, Shezan had previously been arrested multiple times for stealing data from government servers, including the national ID database.
Shezan used a private mobile internet connection to log into the NBR server with Zakaria’s credentials. The telecom operator has confirmed that the SIM card used was registered under Shezan’s name.
A History of Breaches
From January 2019 to September 2024, cybercriminals accessed the NBR server at least 48 times, clearing import consignments and facilitating money laundering in over 3,000 export transactions. These included illicit goods such as alcohol and cigarettes worth millions of BDT.
Investigation reports show that the criminals often used credentials of at least 27 customs officials, including those retired or deceased. However, the May 20 incident was the first to establish concrete evidence linking suspects like Shezan.
Systemic Flaws and Insider Concerns
Customs IT officials acknowledge the robust design of the ASYCUDA system, which prevents unauthorized device and IP access. However, one unnamed IT officer admitted, “The system’s multi-layered security appears to have been deliberately relaxed at certain times.”
Gholam Sarwar, the NBR programmer responsible for managing user access, declined to comment on how such breaches occurred, leaving the incident under ongoing investigation.
ASYCUDA’s Role and Challenges
Developed by the United Nations Conference on Trade and Development (UNCTAD), ASYCUDA is a customs management system used in nearly 100 countries. While its goal is to streamline trade and reduce corruption, this incident underscores vulnerabilities even in globally adopted systems.
Since its implementation in Bangladesh in 1994 and nationwide adoption in 2013, the system was upgraded in 2022 to include two-tier security measures. However, breaches like this raise questions about the adequacy of those protections.
Officials remain concerned about identifying the ultimate beneficiaries of such illicit activities, marking a critical juncture for improving cybersecurity across vital national systems.
Source: The Daily Star