The Wall Street Journal (WSJ) and the New York Times (NYT) claim hackers have infiltrated their IT systems to monitor the media organisations' coverage of China.
Cyber spying on reporters would enable Chinese authorities to identify sources on articles and information about pending stories, said the WSJ.
The NYT reported that Chinese hackers had persistently penetrated its systems in the past four months, getting passwords for its reporters and other employees.
The paper said the attacks on its systems coincided with its investigative report into claims that the family of Chinese Premier Wen Jiabao had amassed a multi-billion dollar fortune.
The NYT said the hackers had used methods associated with the Chinese military to monitor the computers of David Barboza, who wrote the report, and one of his predecessors, Jim Yardley.
The NYT said computer security experts had expelled the attackers after tracking them to study their movements and build better defences to block them and prevent them from breaking in again.
Read more about advanced persistent threats (APTs)
- AT&T takes APTs seriously
- Conducting APT detection when Elirks, other backdoors hide traffic
- APTs: Are they really a concern for all businesses?
- Half of UK networks vulnerable to APTs
- Hardening the network against targeted APT attacks
- Surviving cyber war: Preparing for APTs, Stuxnet malware-style attacks
- Boost advanced persistent threat (APT) security levels in six steps
- Ranum chat: APT attacks and malware evolution
- Advanced persistent threat (APT) defense; best practices
The hackers installed malware which enabled them to access any computer using the NYT network, steal the password of every employee and access 53 personal computers, mostly outside the NYT offices.
For years, several governments and companies have accused China of carrying out cyber espionage. NYT publisher Dow Jones & Co said attacks related to China coverage were an ongoing issue.
However, Dow Jones & Co said in a statement that the hacking was aimed at monitoring coverage of China and did not appear to be an attempt to gain commercial advantage or steal customer information.
The publisher said it had boosted its network security and was working with authorities and security specialist to protect customers, employees, journalists and sources.
China's foreign ministry dismissed the NYT’s accusations as "groundless" and "totally irresponsible", according to the BBC.
"China is also a victim of hacking attacks. Chinese laws clearly forbid hacking attacks and we hope relevant parties take a responsible attitude on this issue," said Chinese foreign ministry spokesman Hong Lei.
FBI points to media targets
The US Federal Bureau of Investigation (FBI) has been probing media hacking incidents for more than a year and considers the hacking a national security matter, said the WSJ.
Evidence suggested the hacking was conducted largely by one group that focused on media companies, the WSJ said.
Sophisticated, targeted attacks have changed the cyber landscape, said Rob Cotton, chief executive at security services firm NCC Group.
“Everybody is vulnerable to these threats - no organisation is safe,” Cotton said.
The NYT was using Symantec antivirus software, but out of 45 pieces of custom malware, Symantec's software identified just one, according to The Guardian.
Although the hacking at the NYT cannot be blamed purely on the failure of antivirus software, Cotton said the ongoing issue is that signature-based antivirus tackles a problem that was prevalent 20 years ago, but is largely irrelevant to today's cyber threats.
"Security budgets must be spread across a range of mitigation strategies, such as thorough employee education, whitelisting authorised software, data loss prevention and third-party security," he said.
Howard Schmidt warns businesses
Earlier in the week, former US cyber czar Howard Schmidt told Computer Weekly that no businesses can ignore state-sponsored and other invisible, yet persistent threats designed to get into networks to steal information.
“Businesses need to be concerned. They cannot afford to sit back and say government must do something. It is up to them to do what they can to protect their key data assets,” Schmidt said.
All organisations can start with simple things that will greatly reduce the likelihood of becoming victims of persistent threats.
For example, it is a good idea to allow only digitally signed emails to reach employees and to automate strong authentication processes instead of leaving it up to employees, said Schmidt.