He has also given broad powers to the newly formed Cyberspace Administration of China, which has in turn targeted Internet celebrities who influence online opinion, increased blocks on foreign websites and sought to project China’s influence over the Internet internationally.

In the last few months, the Chinese government has blocked sales and disabled the protocols of VPNs. It also hijacked Internet traffic flowing to Baidu, China’s biggest Internet company, using it to overwhelm and knock down websites like GitHub that carry content China’s sensors deem hostile, including content from The New York Times.

Activists and security experts advised Chinese Internet users to protect themselves from state-sponsored surveillance by using Tor and VPNs, and foreigners inside China have long done so. But Mr. Blasco’s discovery suggests that Beijing’s Internet censors have found a way to render those tools useless.

“There’s a growing sense within China that widely used VPN services that were once considered untouchable are now being touched,” said Nathan Freitas, a fellow at the Berkman Center for Internet and Society at Harvard and technical adviser to the Tibet Action Institute.

The Cyberspace Administration of China did not return requests for comment.

Mr. Blasco said the Uighur and press-related sites had been compromised with a “watering hole attack” in which attackers find a way to hide malicious code in websites frequented by their targets and then wait for their victims to come to them. Once people visit those sites, that code gets injected into their web browsers.

The technique has been used by governments and hackers for surveillance and to steal passwords.

What made the attacks particularly serious, Mr. Blasco said, was that as long as the victims were logged into China’s 15 top web services — including major portals like Baidu, Taobao, QQ, Sina, Sohu, Ctrip and RenRen — the attackers could identify them and siphon off their personal digital information, even if their victims were logged into Tor or a VPN.

They did this with the aid of a particularly serious vulnerability that 15 web services in China apparently never patched.