Threat Actor

Information about threat actors

🚧

Special privileges required

Threat Actors are only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise Plus licenses.

Threat actors are known persons or groups responsible for security incidents.

Object Attributes

A threat actor object contains the following attributes:

  • aggregations: <dictionary> dictionary of commonalities between the different IoCs associated with the threat actor, grouped by IoC type (files, URLs, domains, IP addresses).
    • domains: <dictionary> technical commonalities among all domains tied to a threat actor.
    • files: <dictionary> technical commonalities among all files tied to a threat actor.
    • ip_addresses: <dictionary> technical commonalities among all IP addresses tied to a threat actor.
    • urls: <dictionary> technical commonalities among all URLs tied to a threat actor.
  • alt_names_details: <list of dictionaries> dictionary of alternative names / aliases by which the threat actor is known, including additional data such as the confidence of the information.
    • confidence: <string> confidence on the information or the attribution of the alternative name to the threat actor.
    • description: <string> additional information related to the alternative name.
    • first_seen: <integer> the first time that alternative name was attributed to the threat actor (UTC timestamp).
    • last_seen: <integer> the last time that alternative name was attributed to the threat actor (UTC timestamp).
    • value: <string> alternative name / alias.
  • collection_type: <string> identifies the type of the object. For threat actors the value of this attribute is threat_actor.
  • counters: <dictionary> dictionary of counters of related objects.
    • domains: <integer> number of domains related to the threat actor.
    • files: <integer> number of files related to the threat actor.
    • iocs: <integer> number of IoCs (files + URLs + domains + IP addresses) related to the threat actor.
    • ip_addresses: <integer> number of IP addresses related to the threat actor.
    • subscribers: <integer> number of users subscribed to the threat actor.
    • urls: <integer> number of URLs related to the threat actor.
  • creation_date: <integer> threat actor object creation date (UTC timestamp).
  • description: <string> description / context about the threat actor.
  • first_seen_details: <list of dictionaries> dictionaries with additional information related to the threat actor's first activity, differentiating between confirmed and suspected activity.
    • confidence: <string> confidence on the information or the attribution of the first activity seen related to the threat actor.
    • description: <string> description / additional information about the first activity seen of the threat actor.
    • first_seen: <integer> the first time this first activity date has been attributed to the threat actor (UTC timestamp).
    • last_seen: <integer> the last time this first activity date has been attributed to the threat actor (UTC timestamp).
    • value: <string> date when the first observation about that threat actor was made ("YYYY-MM-DDTHH:mm:ssZ" format).
  • last_modification_date: <integer> last time when the threat actor's information was updated (UTC timestamp).
  • last_seen_details: <list of dictionaries> dictionaries with additional information related to the threat actor's last activity, differentiating between confirmed and unconfirmed activity.
    • confidence: <string> confidence on the information or the attribution of the last activity seen related to the threat actor.
    • description: <string> description / additional information about the last activity seen of the threat actor.
    • first_seen: <integer> the first time this last activity date has been attributed to the threat actor (UTC timestamp).
    • last_seen: <integer> the last time this last activity date has been attributed to the threat actor (UTC timestamp).
    • value: <string> date when the last observation about that threat actor was made ("YYYY-MM-DDTHH:mm:ssZ" format).
  • merged_actors: <list of dictionaries> list of actors confirmed to be part of a larger group (current threat actor) to which they were merged.
    • confidence: <string> confidence on the information or the attribution of the merged threat actor to the current threat actor.
    • description: <string> description / additional information about the merged actor (e.g. reference to its report - actor ID).
    • first_seen: <integer> the first time this merged threat actor was attributed to the current threat actor (UTC timestamp).
    • last_seen: <integer> the last time this merged threat actor was attributed to the current threat actor (UTC timestamp).
    • value: <string> name of the merged threat actor.
  • motivations: <list of dictionaries> threat actor's motivations such as espionage, financial gain, etc.
    • confidence: <string> confidence on the information or the attribution of the motivation to the threat actor.
    • description: <string> description / additional information about the threat actor's motivation.
    • first_seen: <integer> the first time this motivation was attributed to the current threat actor (UTC timestamp).
    • last_seen: <integer> the last time this motivation was attributed to the current threat actor (UTC timestamp).
    • value: <string> threat actor's motivation.
  • name: <string> threat actor's name.
  • origin: <string> identifies the source of the information. Partner for curated objects from trusted partners and security researchers and Google Threat Intelligence for curated objects from our Google TI experts.
  • private: <boolean> whether the threat actor object is private or not.
  • recent_activity_relative_change: <float> ratio of change between the last two "recent activity" periods. Note: "recent activity" refers to a period of 14 days.
  • recent_activity_summary: <list of integers> time series representing the activity of the indicators of compromise related to the threat actor. (2 weeks)
  • source_regions_hierarchy: <list of dictionaries> country or region from which the threat actor of interest is known to originate.
    • confidence: <string> confidence on the information or the threat actor's source region association.
    • country: <string> country from which the threat actor of interest is known to originate.
    • country_iso2: <string> source country in ISO 3166 Alpha2 - code format.
    • description: <string> description / additional information about the threat actor's motivation.
    • first_seen: <integer> the first time this source region was attributed to the current threat actor (UTC timestamp).
    • last_seen:<integer> the last time this source region was attributed to the current threat actor (UTC timestamp).
    • region: <string> region from which the threat actor of interest is known to originate.
    • source: <string> information's supplier.
    • sub_region: <string> subregion from which the threat actor of interest is known to originate.
  • status: <string> indicates if the object has attributes pending to be computed again (e.g. top_icon_md5 after making changes). The possible values are PENDING_RECOMPUTE and COMPUTED.
  • tags_details: <list of dictionaries> dictionaries of tags associated with the threat actor with some additional context.
    • confidence: <string> confidence on the information or the tag association to the threat actor.
    • description: <string> description / additional information related to the tag associated with the threat actor.
    • first_seen: <integer> the first time this tag was attributed to the current threat actor (UTC timestamp).
    • last_seen: <integer> the last time this tag was attributed to the current threat actor (UTC timestamp).
    • value: <string> value of the tag.
  • targeted_industries_tree: <list of dictionaries> list of industries and industry groups known to be targeted by the threat actor.
    • confidence: <string> confidence on the information or the threat actor's targeted industry association.
    • description: <string> description / additional information related to the threat actor's targeted industry.
    • first_seen: <integer> the first time this targeted industry was associated with the current threat actor (UTC timestamp).
    • industry: <string> threat actor's targeted sub-industry.
    • industry_group: <string> threat actor's targeted industry group.
    • last_seen: <integer> the last time this targeted industry was associated with the current threat actor (UTC timestamp).
    • source: <string> information's supplier.
  • targeted_regions_hierarchy: <list of dictionaries> list of regions and countries known to be targeted by the threat actor.
    • confidence: <string> confidence on the information or the threat actor's targeted region association.
    • country: <string> threat actor's targeted country.
    • country_iso2: <string> targeted country in ISO 3166 Alpha2 - code format.
    • description: <string> description / additional information related to the threat actor's targeted region.
    • first_seen: <integer> the first time this targeted region was associated with the current threat actor (UTC timestamp).
    • last_seen:<integer> the last time this targeted region was associated with the current threat actor (UTC timestamp).
    • region: <string> threat actor's targeted region.
    • source: <string> information's supplier.
    • sub_region: <string> threat actor's targeted sub-region.
  • top_icon_md5: <list of strings> list of the 3 most frequent icons among the threat actor IoCs (file's icons, URLs and domain's favicons). Favicons are represented by their MD5 hash.

Relationships

In addition to the previously described attributes, threat actor objects contain relationships with other objects in our dataset that can be retrieved as explained in the Relationships section.

The following table shows a summary of available relationships.

RelationshipReturn object type
associationsList of all objects (Reports, Campaigns, IoC collections, Malware families, Software and Toolkits, Vulnerabilities, Threat Actors) associated with the current threat actor, without filtering by the object type.
attack_techniquesList of MITRE ATT&CK techniques.
autogenerated_graphsList of graphs related to the current threat actor.
campaignsList of associated Campaign objects.
collectionsList of associated IoC collection objects.
commentsList of Comments.
domainsList of Domains associated with the threat actor.
editorsList of users, groups and data connectors that can edit this threat actor (only available to the owner or editor of the entity).
filesList of Files associated with the threat actor.
hunting_rulesetsList of curated YARA rulesets assigned by the entity owner.
ip_addressesList of IP addresses associated with the threat actor.
malware_familiesList of associated Malware family objects.
ownerUser who created the object.
related_collectionsList of objects (Reports, Campaigns, IoC collections, Malware families, Software and Toolkits, Vulnerabilities, Threat Actors) containing IoCs associated with this entity.
reportsList of associated Report objects.
sigma_rulesList of crowdsourced SIGMA rulesets matching at least one file associated with this threat actor.
software_toolkitsList of associated Software or Toolkit objects.
suspected_threat_actorsList of threat actors that are suspected, not yet confirmed, to be part of the same group.
threat_actorsList of other threat actors associated with the current threat actor.
urlsList of URLs associated with the threat actor.
viewersList of users, groups and data connectors that can view the entity (only available to the owner or editor of the entity).
vulnerabilitiesList of associated Vulnerability objects.
yara_rulesetsList of crowdsourced YARA rulesets matching at least one file associated with this threat actor.