By Raphael Satter and AJ Vicens

WASHINGTON (Reuters) – Chinese state-sponsored hackers breached the U.S. Treasury Department’s computer security guardrails this month and stole documents. The Treasury Department called it a “serious incident,” according to a letter to lawmakers that Treasury officials shared with Reuters on Monday.

The hackers compromised third-party cybersecurity service provider BeyondTrust and were able to access unclassified documents, the letter said.

According to the letter, hackers “gained access to a key used by the provider to secure a cloud-based service used to provide remote technical support to Treasury Departmental Office (DO) end users.” “By accessing the stolen key, the threat actor was able to defeat the security of the service, remotely access certain workstations of Treasury DO users, and access certain unclassified documents maintained by those users.”

“Based on available indicators, the incident was attributed to a state-sponsored Advanced Persistent Threat (APT) actor in China,” the letter said.

The Treasury Department said it was alerted to the breach by BeyondTrust on December 8 and is working with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to assess the impact of the hack.

Treasury officials did not immediately respond to an email seeking further details about the hack. The FBI did not immediately respond to Reuters’ requests for comment, while CISA referred questions back to the Treasury Department.

“China has always opposed all forms of hacker attacks,” Chinese Foreign Ministry spokesman Mao Ning said at a regular news conference on Tuesday.

A spokesman for the Chinese embassy in Washington denied any responsibility for the hack, saying Beijing “strongly rejects the US’s slander attacks against China without any factual basis.”

A spokesman for BeyondTrust, based in Johns Creek, Georgia, told Reuters in an email that the company “already identified and took remediation measures for a security incident related to its remote support product in early December 2024.” BeyondTrust has “notified the limited number of customers involved” and law enforcement has been notified, the spokesman said. “BeyondTrust assisted in the investigative efforts.”

The spokesperson referred to a statement posted on the company’s website on Dec. 8 that outlined some details of the investigation, including that a digital key was compromised in the incident and that an investigation is ongoing. This statement was last updated on December 18th.

Tom Hegel, threat researcher at cybersecurity firm SentinelOne, said the reported security incident “fits a well-documented pattern of conduct by PRC-linked groups, with a particular focus on abusing trusted third-party services – a practice that has become increasingly common.” the last few years,” he said, using an acronym for the People’s Republic of China.

(Reporting by Raphael Satter in Washington, AJ Vicens in Detroit and Akash Sriram in Bengaluru; Additional reporting by Liz Lee in Beijing; Editing by Shinjini Ganguli, Tasim Zahid, Alistair Bell, Rod Nickel, Leslie Adler and Sonali Paul)