By Matt Egan, CNN

(CNN) — The US Treasury Department notified lawmakers on Monday that a China state-sponsored actor infiltrated Treasury workstations in what officials are describing as a “major incident.”

In a letter reviewed by CNN, a Treasury official said it was informed by a third-party software service provider on December 8 that a threat actor used a stolen key to remotely access certain Treasury workstations and unclassified documents.

“Based on available indicators, the incident has been attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) actor,” Aditi Hardikar, assistant secretary for management at the US Treasury, wrote in the letter.

A Treasury spokesperson said in a statement to CNN that the compromised service has been taken offline and officials are working with law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA).

“There is no evidence indicating the threat actor has continued access to Treasury systems or information,” the Treasury spokesperson said.

Treasury officials plan to hold a classified briefing about the breach next week with staffers from the House Financial Services Committee, a senior committee staffer told CNN. The exact timing of the briefing has not been scheduled yet.

A spokesperson for China’s Foreign Ministry denied the accusation when asked about the hacking at a regular news briefing on Tuesday.

“We have repeatedly stated our position on such groundless accusations lacking evidence. China has always opposed all forms of cyberattacks, and we are even more opposed to spreading false information about China for political purposes,” said Mao Ning, a spokesperson for the foreign ministry.

According to the letter to Senate Banking Committee leadership, the third-party software service provider, BeyondTrust, said hackers gained access to a key used by the vendor to secure a cloud-based service that Treasury uses for technical support.

“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury [Departmental Office] user workstations, and access certain unclassified documents maintained by those users,” the Treasury letter said.

BeyondTrust said it identified a security incident that took place on December 2 involving its Remote Support product and notified the “limited number” of customers involved after the company confirmed on December 5 that it had confirmed “anomalous behavior” in the product.

It posted information regarding the incident on its website on December 8, and it has been updating its progress in investigating the cause and mitigating future threats. The company said it suspended and quarantined the impacted instances of the product and hired an outside cybersecurity team to investigate.

“No other BeyondTrust products were involved,” a Beyond Trust spokesperson said. “Law enforcement was notified and BeyondTrust has been supporting the investigative efforts.”

It’s not clear exactly how many workstations were infiltrated. However, the Treasury spokesperson said in the statement that “several” Treasury user workstations were accessed.

Hardikar said in the letter that based on Treasury policy, intrusions attributed to advanced persistent threat actors are considered a “major cybersecurity incident.” Treasury officials are required to provide an update in a 30-day supplemental report.

It’s not clear if Treasury has fully determined the extent of the damage caused by the breach.

Hardikar wrote in the letter that, in an effort to “fully characterize the incident and determine its overall impact,” Treasury has been working with CISA, the FBI, US intelligence agencies and third-party forensic investigators.

“CISA was engaged immediately upon Treasury’s knowledge of the attack, and the remaining governing bodies were contacted as soon as the scope of the attack became evident,” the letter said.

This story has been updated with additional developments and context.

The-CNN-Wire
™ & © 2024 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.