US Cyber Command · Schema
ThreatActor
A nation-state-sponsored threat actor or advanced persistent threat (APT) group whose malware USCYBERCOM has publicly disclosed.
CybersecurityFederal GovernmentMilitaryThreat IntelligenceDefense
Properties
| Name | Type | Description |
|---|---|---|
| actor_id | string | Unique identifier for the threat actor. |
| name | string | Common name or alias of the threat actor. |
| alternative_names | array | Alternative names, aliases, or designations for this threat actor. |
| nation_state_sponsor | string | Nation-state that sponsors or directs this threat actor. |
| sponsoring_agency | string | Specific government agency or military unit attributed to this actor. |
| primary_motivation | string | Primary motivation driving this threat actor. |
| targeted_sectors | array | Industry sectors and critical infrastructure primarily targeted by this actor. |
| malware_families | array | Malware families or tools attributed to this threat actor. |
| first_observed | string | Approximate date this threat actor was first publicly identified. |
| mitre_group_id | string | MITRE ATT&CK Group identifier for this threat actor. |
| description | string | Description of the threat actor's activities and characteristics. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://raw.githubusercontent.com/api-evangelist/us-cyber-command/refs/heads/main/json-schema/uscybercom-threat-actor-schema.json",
"title": "ThreatActor",
"description": "A nation-state-sponsored threat actor or advanced persistent threat (APT) group whose malware USCYBERCOM has publicly disclosed.",
"type": "object",
"properties": {
"actor_id": {
"type": "string",
"description": "Unique identifier for the threat actor.",
"example": "CNMF-TA-RU-001"
},
"name": {
"type": "string",
"description": "Common name or alias of the threat actor.",
"example": "Sandworm"
},
"alternative_names": {
"type": "array",
"description": "Alternative names, aliases, or designations for this threat actor.",
"items": {
"type": "string"
},
"example": ["Voodoo Bear", "Iron Viking", "Telebots", "Electrum"]
},
"nation_state_sponsor": {
"type": "string",
"description": "Nation-state that sponsors or directs this threat actor.",
"enum": [
"Russia",
"Iran",
"North Korea",
"China",
"Other",
"Unknown"
]
},
"sponsoring_agency": {
"type": "string",
"description": "Specific government agency or military unit attributed to this actor.",
"example": "Russian GRU Unit 74455"
},
"primary_motivation": {
"type": "string",
"description": "Primary motivation driving this threat actor.",
"enum": [
"Espionage",
"Financial Gain",
"Destructive Attacks",
"Information Operations",
"Sabotage"
]
},
"targeted_sectors": {
"type": "array",
"description": "Industry sectors and critical infrastructure primarily targeted by this actor.",
"items": {
"type": "string"
},
"example": ["Energy", "Defense", "Government", "Finance"]
},
"malware_families": {
"type": "array",
"description": "Malware families or tools attributed to this threat actor.",
"items": {
"type": "string"
},
"example": ["BlackEnergy", "NotPetya", "Industroyer"]
},
"first_observed": {
"type": "string",
"format": "date",
"description": "Approximate date this threat actor was first publicly identified."
},
"mitre_group_id": {
"type": "string",
"description": "MITRE ATT&CK Group identifier for this threat actor.",
"example": "G0034"
},
"description": {
"type": "string",
"description": "Description of the threat actor's activities and characteristics."
}
},
"required": ["actor_id", "name", "nation_state_sponsor"]
}