LEVERAGING YARA AND SIGMA RULES TO DETECT CHINESE STATE-SPONSORED HACKING GROUPS OF THE "TYPHOON" TYPE

Authors

  • Dimitar Dimitrov IT Department, Nikola Vaptsarov Naval Academy (BG)
  • Dimitar Nikolov IT Department, Nikola Vaptsarov Naval Academy (BG)

DOI:

https://doi.org/10.17770/etr2025vol2.8617

Keywords:

China, Cyberspace, Salt Typhoon, Sigma rules, Volt Typhoon, YARA rules

Abstract

This study addresses the escalating cyber threat posed by Chinese state-sponsored hacking groups, particularly the "Typhoon" class (Salt Typhoon and Volt Typhoon) which target critical infrastructure through stealthy and persistent techniques. The research aims to enhance detection capabilities against these advanced persistent threats by analysing their tactics, techniques, and procedures and by developing YARA and Sigma rules. The methodology involves mapping observed TTPs to MITRE ATT&CK and designing detection rules that identify key indicators of compromise in both system files and event logs. The main contribution of the study is the implementation of rule-based detection mechanisms that proactively uncover malicious activities often missed by traditional signature-based tools.

References

Z. Wang, "A systematic literature review on cyber threat hunting," arXiv, 2022. [Online]. Available: https://doi.org/10.48550/arXiv.2212.05310

What Is a YARA Rule?, Oct. 23, 2023. [Online]. Available: https://www.picussecurity.com/resource/glossary/what-is-a-yara-rule. [Accessed: Feb. 18, 2025].

G. Canfora et al., "About the robustness and looseness of Yara rules," ICTSS 2020, pp. 104–120, 2020, https://doi.org/10.1007/978-3-030-64881-7_7.

S. Saeed et al., "A systematic literature review on cyber threat intelligence for organizational cybersecurity resilience," Sensors, vol. 23, art. 7273, 2023, https://doi.org/10.3390/s23167273.

What Are SIGMA Rules: Beginner’s Guide, May 16, 2022. [Online]. Available: https://socprime.com/blog/sigma-rules-the-beginners-guide/. [Accessed: Feb. 21, 2025].

Introduction to Sigma Rules and Detection of Credential Harvesting, Mar. 8, 2021. [Online]. Available: https://go.recordedfuture.com/hubfs/reports/cta-2021-0308.pdf. [Accessed: Feb. 21, 2025].

K. Yildirim et al., "A YARA-based approach for detecting cyber security attack types," Firat University Journal of Experimental and Computational Engineering, vol. 2, no. 2, pp. 55–68, 2023, https://doi.org/10.5505/fujece.2023.09709.

IDS for Logs: Towards Implementing a Streaming Sigma Rule Engine, Oct. 2020. [Online]. Available: https://ccdcoe.org/uploads/2020/10/Markus-Kont-Mauno-Pihelgas-IDS-for-logs-Towards-implementing-a-streaming-Sigma-rule-engine.pdf. [Accessed: Feb. 22, 2025].

Detecting Malicious Files with YARA Rules as They Traverse the Network, Aug. 7, 2019. [Online]. Available: https://i.blackhat.com/USA-19/Wednesday/us-19-Bernal-Detecting-Malicious-Files-With-YARA-Rules-As-They-Traverse-the-Network-wp.pdf. [Accessed: Feb. 22, 2025].

E. Koleva et al., "Development of an algorithm for calculating the stability of a ship, applied in OBSS," International Journal on Information Technologies and Security, vol. 14, no. 3, pp. 25–36, 2022. [Online]. Available: http://ijits-bg.com/2022.v14.i3.03.

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure, Feb. 7, 2024. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a. [Accessed: Feb. 22, 2025].

People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection, May 24, 2023. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a. [Accessed: Feb. 23, 2025].

Volt Typhoon Targets US Critical Infrastructure with Living-off-the-Land Techniques, May 24, 2023. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/. [Accessed: Feb. 23, 2025].

Volt Typhoon and the Disruption of the U.S. Cyber Strategy, Mar. 5, 2024. [Online]. Available: https://www.lawfaremedia.org/article/volt-typhoon-and-the-disruption-of-the-u.s.-cyber-strategy. [Accessed: Feb. 18, 2025].

RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers, Feb. 13, 2025. [Online]. Available: https://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices. [Accessed: Feb. 23, 2025].

US Adds 9th Telecom Company to List of Known Salt Typhoon Targets, Dec. 27, 2024. [Online]. Available: https://therecord.media/nine-us-companies-hacked-salt-typhoon-china-espionage. [Accessed: Feb. 20, 2025].

Governments, Telcos Ward Off China's Hacking Typhoons, Dec. 11, 2024. [Online]. Available: https://www.darkreading.com/cyberattacks-data-breaches/governments-telcos-chinas-hacking-typhoons. [Accessed: Feb. 24, 2025].

Salt Typhoon Hackers Backdoor Telcos with New GhostSpider Malware, Nov. 25, 2024. [Online]. Available: https://www.bleepingcomputer.com/news/security/salt-typhoon-hackers-backdoor-telcos-with-new-ghostspider-malware/. [Accessed: Feb. 24, 2025].

Weathering the Storm: In the Midst of a Typhoon, Feb. 20, 2025. [Online]. Available: https://blog.talosintelligence.com/salt-typhoon-analysis/. [Accessed: Feb. 24, 2025].

Downloads

Published

08.06.2025

Issue

Vol. 2 (2025): Environment. Technology. Resources. Proceedings of the 16th International Scientific and Practical Conference. Volume 2

Section

Information Technologies

License

Copyright (c) 2025 Dimitar Dimitrov, Dimitar Nikolov

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

[1]
D. Dimitrov and D. Nikolov, “LEVERAGING YARA AND SIGMA RULES TO DETECT CHINESE STATE-SPONSORED HACKING GROUPS OF THE ‘TYPHOON’ TYPE”, ETR, vol. 2, pp. 107–113, Jun. 2025, doi: 10.17770/etr2025vol2.8617.