*

US Treasury says Chinese state-sponsored hackers stole

documents

*

China says it has always opposed all forms of hacker

attacks

*

Attack follows a pattern of operations by China-linked

groups,

analyst says

(Adds quote from Treasury Department letter in paragraph 4,

China foreign ministry comment in paragraph 7)

By Raphael Satter and AJ Vicens

WASHINGTON, Dec 30 (Reuters) - Chinese state-sponsored

hackers breached the U.S. Treasury Department's computer

security guardrails this month and stole documents in what

Treasury called a "major incident," according to a letter to

lawmakers that Treasury officials provided to Reuters on Monday.

The hackers compromised third-party cybersecurity service

provider BeyondTrust and were able to access unclassified

documents, the letter said.

According to the letter, hackers "gained access to a key

used by the vendor to secure a cloud-based service used to

remotely provide technical support for Treasury Departmental

Offices (DO) end users. With access to the stolen key, the

threat actor was able to override the service's security,

remotely access certain Treasury DO user workstations, and

access certain unclassified documents maintained by those

users."

"Based on available indicators, the incident has been

attributed to a China state-sponsored Advanced Persistent Threat

(APT) actor," the letter said.

The Treasury Department said it was alerted to the breach by

BeyondTrust on Dec. 8 and that it was working with the U.S.

Cybersecurity and Infrastructure Security Agency (CISA) and the

FBI to assess the hack's impact.

Treasury officials didn't immediately respond to an email

seeking further details about the hack. The FBI did not

immediately respond to Reuters' requests for comment, while CISA

referred questions back to the Treasury Department.

"China has always opposed all forms of hacker attacks," Mao

Ning, a spokesperson for China's foreign ministry, told a

regular news conference on Tuesday.

A spokesperson for the Chinese Embassy in Washington

rejected any responsibility for the hack, saying that Beijing

"firmly opposes the U.S.'s smear attacks against China without

any factual basis."

A spokesperson for BeyondTrust, based in Johns Creek,

Georgia, told Reuters in an email that the company "previously

identified and took measures to address a security incident in

early December 2024" involving its remote support product.

BeyondTrust "notified the limited number of customers who were

involved," and law enforcement was notified, the spokesperson

said. "BeyondTrust has been supporting the investigative

efforts."

The spokesperson referred to a statement posted on the

company's website on Dec. 8 sharing some details from the

investigation, including that a digital key had been compromised

in the incident and that an investigation was under way. That

statement was last updated on Dec. 18.

Tom Hegel, a threat researcher at cybersecurity company

SentinelOne ( S ), said the reported security incident "fits a

well-documented pattern of operations by PRC-linked groups, with

a particular focus on abusing trusted third-party services - a

method that has become increasingly prominent in recent years,"

he said, using an acronym for the People's Republic of China."