Codes to Decode: Cyber risks for Bangladesh when balancing great power rivalry

In the game of strategic balancing, Bangladesh is now navigating between securing energy supplies and maintaining geopolitical balance. But Bangladesh has barely examined the security of its energy infrastructure, which is heavily dependent on operational technology (OT) and industrial control systems (ICS).

The Bangladesh e-Government Computer Incident Response Team, the national frontline against cyber threats, was established in 2016 following the Bangladesh Bank cyber heist. Alarmingly, the last alert from BGD e-GOV CIRT was issued on December 9, 2025 and focused on a scam campaign. The agency has remained largely absent during critical moments such as the national polls and the ongoing US–Israel–Iran tensions.

On the geopolitical front, the Finance and Planning Minister Amir Khasru Mahmud Chowdhury met with US Ambassador, Brent T Christensen on Wednesday, and requested approval from the US to import fuel oil from Russia. The Finance Minister seeks a similar temporary waiver like India, which allows India to buy Russian oil for 30 days. The smartest decision would have been to maximise capacity utilisation of the India-Bangladesh Friendship Pipeline. This would allow Dhaka to enjoy Russian oil supply through India, keeping it distant from the longstanding US-Russia rivalry and the current US-Israel-Iran conflict.

Image

From a crisis management perspective, seeking Russian oil directly only tangles Bangladesh further into deep geopolitical conflicts. Alliances with Russia could bring a range of cyberattacks targeting the OT and ICS systems at Bangladesh’s energy infrastructure, notably Eastern Refinery Limited and the Moheshkhali Floating LNG Terminal.

In the latest threat advisory published by the Data Security Council of India (DSCI), over 150 pro-Palestinian hacktivist groups targeted Indian critical infrastructure during 2023–2024, as well as in 2025, with more than 4,000 cyberattacks recorded. Among these groups, one is reportedly claimed to be a Bangladeshi hacktivist group named “Mysterious Team Bangladesh.” Even though Bangladesh has not been directly involved in war against Israel, this Bangladeshi-origin hacktivist group has already launched attacks on Indian and Israeli infrastructure. The group launched over 828 cyberattacks between 2022 and 2023 alone. India and Israel sit at the top of the group’s target list, with 34 percent of attacks directed at India and 18.1 percent at Israel.

Mysterious Team Bangladesh has also claimed responsibility for a series of attacks launched at US military-linked firms in June 2025, following the escalation of the US-Israel-Iran 12-day war. These attacks by a Bangladeshi non-state actor place Bangladesh’s digital infrastructure under immense risk, especially its digital energy infrastructure, from Israeli, Indian, and US non-state cyber counterparts.

Bangladesh’s energy infrastructure, most notably Eastern Refinery Limited and the Moheshkhali Floating LNG Terminal, is heavily dependent on OT and ICS. Several operational functions at these facilities are completely automated. These sites could become prime targets for opposing hacker groups from the West, Israel, and India, today or tomorrow. The question remains: is BGD e-GOV CIRT prepared with a proper incident response mechanism and crisis management plan? In simple terms, it is not.

BGD e-Gov CIRT must move immediately from passive monitoring to active defence. First, it should launch a national cybersecurity hackathon focused specifically on OT and ICS vulnerabilities in energy infrastructures. Ethical hackers, universities and engineers should be invited to test and hack into the systems and identify weaknesses so that these systems can be patched quickly. Second, every employee working at Eastern Refinery Limited and the Moheshkhali LNG terminal must undergo intensive behavioural cybersecurity training, particularly on phishing and social engineering, which remain the most common entry points for cyber intrusions. Strict operational discipline must be introduced inside these facilities. Personal and work devices must be completely separated, personal phones should not be allowed inside control rooms, and employees should use dedicated secure devices for work. Finally, BGD e-Gov CIRT must establish dedicated 24/7 cyber crisis teams for these two strategic energy sites, continuously monitoring threats, coordinating with plant operators and responding immediately to any abnormal digital activity. Even if we can successfully balance between the US and Russia by receiving oil from India and China, we are completely on our own when it comes to protecting our energy infrastructure.

Asheer Shah is director of Governance and Security Initiative.