The revelation will add to concerns over the susceptibility of US critical infrastructure to cyberattacks. The US this year accused Volt Typhoon of infiltrating networks that operate critical US services, including some of the country’s water facilities, power grid and communications sectors, in order to cause disruptions during a future crisis, such as an invasion of Taiwan.

Liu Pengyu, a spokesman for the Chinese Embassy in Washington, said in an email, “ ‘Volt Typhoon’ is actually a ransomware cyber criminal group who calls itself the ‘Dark Power’ and is not sponsored by any state or region.”

He added that China sees signs that the US intelligence community has secretly collaborated with cybersecurity companies to falsely accuse China of supporting cyberattacks against the US as part of an effort to boost congressional budgets and government contracts. Bloomberg couldn’t verify those claims.

Lumen shared its findings with Versa in late June, according to Lumen and supporting documentation shared with Bloomberg.

Versa, which is based in Santa Clara, California, said it issued an emergency patch for the bug at the end of June, but only began flagging the issue widely to customers in July once it was notified by one that claimed to have been breached. Versa said that customer, which it didn’t identify, didn’t follow previously published guidelines on how to protect its systems via firewall rules and other measures.

Dan Maier, Versa’s chief marketing officer, said in an email Monday that those 2015 guidelines include advising customers to close off internet access to a specific port, which the customer had failed to follow. Since last year, he said, Versa has now taken measures of its own to make the system “secure by default,” meaning customers will no longer be exposed to that risk even if they haven’t followed company guidelines.

The bug carries a “high” severity rating, according to the National Vulnerability Database. On Friday, the Cybersecurity and Infrastructure Security Agency, known as CISA, ordered federal agencies to patch Versa products or stop using them by Sept. 13.