With the rapid development of technologies such as computers and smart devices, cyber attack incidents happen frequently, which cause increasingly serious economic losses or reputation losses. In order to reduce losses and prevent future potential attacks, it is necessary to trace the source of cyber attack incidents to achieve accountability for the attackers. The attribution of cyber attackers is mainly a manual process by forensic analyst. Faced with increasing analysis data and analysis dimensions, semi-automated or automated cyber attackers mining analysis methods are urgently needed. This study proposes a graph model-based attacker mining analysis method for cyber attack incidents. This method first establishes an ontology model for cyber attack incident attribution, and then fuses clue data extracted from cyber attack incidents with various threat intelligence data to construct a cyber attack incidents attribution relationship graph. The graph embedding algorithm automatically learns the representation vector of cyber attack incidents, which embedded clue characteristics of cyber attack incidents, from the attribution relationship graph of cyber attack incidents. And then a classifier is trained with the historical cyber attack incidents representation vector, which classifies the cyber attack incident to one cyber attacker. Finally, the feasibility and effectiveness of the method are verified by experiments.