Dec 30 (Reuters) – Hackers linked to the Chinese government reportedly broke into the U.S. Treasury Department earlier this month, stealing various documents from its computers, as detailed in a letter to lawmakers shared with Reuters on Monday.

The breach occurred through a compromise of the third-party cybersecurity provider BeyondTrust, which allowed unauthorized access to unclassified documents, the letter referred to the situation as a “major incident.”

The letter explained that attackers gained access to a critical security key used by BeyondTrust to manage a cloud service that provided remote technical support for Treasury Department offices. With this key, the hackers could bypass security measures, remotely connect to specific user workstations within the Treasury, and retrieve certain unclassified documents stored on those systems.

The Treasury was notified about the breach by BeyondTrust on December 8. Since then, they have been collaborating with the U.S. Cybersecurity and Infrastructure Security Agency and the FBI to evaluate the extent of the damage caused by the hack.

The FBI has not responded to requests from Reuters for a comment, and CISA redirected inquiries back to the Treasury Department. A representative from the Chinese Embassy in Washington has also not commented, as Beijing frequently denies involvement in cyberattacks.

While BeyondTrust has yet to respond to requests for comments, the company stated on its website that it had identified a security incident affecting a small number of users of its remote support software. They confirmed that a digital key was compromised in this issue and that an investigation is underway.

According to Tom Hegel, a researcher at cybersecurity firm SentinelOne, the security breach noted by BeyondTrust appears to correlate with the reported hacking of the Treasury. He advised that confirmation from BeyondTrust is needed to clarify any linkage.

“This incident matches a well-known operational pattern employed by groups connected to the PRC, particularly their tendency to exploit trusted third-party services—a tactic that has gained traction in recent years,” he stated.