Afognak Native Corp. fell victim last month to a cyberattack in which $3.8 million of a subsidiary's money was transferred to an offshore bank account, a spokesperson for the corporation confirmed Wednesday.
In a letter dated April 30, Afognak Native Corp. CEO Greg Hambright told shareholders that the corporation's subsidiary, Alutiiq LLC, had been the victim of a "highly sophisticated" scheme that resulted in the unauthorized transfer of company money to an account in Hong Kong.
"Please be assured the company is working aggressively to recover funds to the maximum extent possible under law," Hambright wrote in the letter.
The Afognak Native Corp. is headquartered on Kodiak Island. According to its website, the corporation represents 900 shareholders descended from the Village of Afognak on Afognak Island, directly north of Kodiak.
Corporate attorney Peter Boskofsky confirmed Wednesday that the letter had been sent to shareholders on April 30 regarding the attack, which originated from either Asia or Eastern Europe.
The attack took place on April 15, coinciding with a shareholder meeting in the community of Port Lions. Senior management was away from company headquarters at the time, Hambright wrote.
The attackers set up a Europe-based email account that mirrored Hambright's email address, the letter said.
An email was then sent from the fake account to the Alutiiq controller with instructions regarding a "confidential transaction" by a person who called minutes later, Hambright wrote.
Pretending to be an attorney, the co-conspirator requested an "urgent" transfer of the $3.8 million "to an entity later revealed to be a fictitious third party company based in Hong Kong," Hambright wrote.
Believing the request to be authentic, the controller transferred the funds.
The attackers "demanded strict confidentiality" from the controller, according to Hambright, to keep the scheme under wraps.
Two days later, the transfer was discovered by Hambright and Chief Financial Officer Bill Zang. Once the corporation realized what had happened, it contacted its corporate bank and the FBI.
"We are working closely with FBI investigators, other law enforcement organizations, private investigators, and a team of expert consultants to identify and prosecute these criminals," Hambright wrote.
The FBI had requested a freeze on the bank account in question, Boskofsky wrote.
The company's computer accounts were not breached at any point and all customer data remained secure, according to Boskofsky.
The corporation's board of directors wrote that they were "very upset and dismayed by this attack" in a letter to shareholders also dated April 30.
Auditors are reviewing the corporation's protocols and an insurance claim has also been filed, the board of directors wrote.