CNN
—

The U.S. Treasury Department told lawmakers on Monday that a state-sponsored actor in China had infiltrated Treasury workplaces in what officials are calling a “serious incident.”

In a letter reviewed by CNN, a Treasury Department official said he was informed by a third-party software service provider on December 8 that a threat actor had used a stolen key to remotely access certain Treasury workstations and unclassified documents.

“Based on available indicators, the incident has been attributed to a state-sponsored Chinese Advanced Persistent Threat (APT) actor,” Aditi Hardikar, assistant secretary for administration at the U.S. Department of the Treasury, wrote in the letter.

A Treasury Department spokesperson said in a statement to CNN that the compromised service has been taken offline and officials are working with law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA).

“There is no evidence that the threat actor continues to have access to Treasury systems or information,” the Treasury spokesperson said.

Treasury officials plan to hold a confidential briefing on the breach with staff from the House Financial Services Committee next week, a senior committee official told CNN. The exact time of the briefing has not yet been determined.

According to the letter to Senate Banking Committee leadership, third-party software services provider BeyondTrust said hackers gained access to a key the provider used to secure a cloud-based service that the Treasury Department uses for technical support.

“By accessing the stolen key, the threat actor was able to defeat the security of the service, remotely access certain Treasury Department user workstations (department offices), and access certain unclassified documents maintained by those users,” it said the letter from the Ministry of Finance.

BeyondTrust did not immediately respond to a request for comment.

It’s not clear exactly how many workplaces were infiltrated. However, the Treasury spokesman said in the statement that “multiple” Treasury user workstations had been accessed.

Hardikar said in the letter that based on Treasury Department policy, intrusions attributed to advanced, persistent threat actors are considered a “major cybersecurity incident.” Treasury officials are required to provide an update in a 30-day supplementary report.

It is not clear whether the Treasury Department has fully determined the extent of the damage caused by the breach.

Hardikar wrote in the letter that the Treasury Department worked with CISA, the FBI, U.S. intelligence agencies and outside forensic investigators to “fully characterize the incident and determine its overall impact.”

“CISA became involved immediately after Treasury learned of the attack, and the remaining governing bodies were contacted as soon as the extent of the attack became apparent,” the letter said.

This is a developing story and will be updated.