They say a freelance security consultant is responsible for writing the code, which used a previously unknown security flaw in Microsoft's Internet Explorer web browser to plant spyware on targeted computers, according to the Financial Times.
The US investigators believe the consultant, who does not work for the government, was obliged to give officials access to his code in return for being allowed to carry out his research unhindered.
They also believe the consultant did not carry out the attacks himself and would prefer his work not to be used in offensive attacks.
Analysts said the discovery will make it harder for the Chinese government to deny involvement in the widespread hacking attacks exposed by Google.
The revelation has increased diplomatic tensions between the US and China, which Western security experts have accused of involvement in cyber attacks aimed at stealing commercial and military secrets.
Google has threatened to close down its search operations in China and US secretary of state Hillary Clinton has called on Chinese authorities to conduct a probe into the hacking attacks.