Cyber Incident Victim: Obama for America
Date:
Jul 2015
Location:
United States of America
Summary
A Yemeni hacker using the alias "Lov3rDns" compromised and defaced the official social networking domain associated with Barack Obama's presidential campaign, replacing content with a political message demanding Yemen's sovereignty and displaying the South Yemen flag. The attacker, known for previous breaches targeting entities like McAfee, Coca-Cola, and Kaspersky, uploaded offensive material to the subdomain. This incident marked a repeat compromise of the platform, which had facilitated tens of thousands of campaign events and groups. The defacement remained active at the time of reporting, mirroring tactics used by other geopolitical hacker groups to disseminate messages through high-profile digital intrusions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 11, 2015, the official social network domain of former U.S. President Barack Obama’s election campaign, my.barackobama.com, was compromised by a Yemeni hacker using the alias "Lov3rDns." The attacker successfully uploaded a defacement page to the subdirectory /page/file/, replacing legitimate content with a message containing a racial slur directed at Obama and a demand to "leave Yemen alone." The defacement included the flag of South Yemen, signaling the hacker’s geopolitical motivations. Evidence of the breach was documented through a screenshot and mirrored on Zone-H (ID 24577681), confirming unauthorized access to the subdomain of barackobama.com. The compromised platform had historically served as a critical organizing tool during Obama’s presidential campaigns, facilitating 35,000 groups and 200,000 events. This incident marked the second known breach of the domain, following a 2014 defacement by the pro-Assad Syrian Electronic Army. At the time of reporting, the defacement remained active on the targeted site, with no public statements from the Obama organization or law enforcement regarding containment or remediation efforts.
The attacker, Lov3rDns, demonstrated advanced capabilities through a history of high-profile breaches prior to the Obama campaign site compromise. Their confirmed targets included cybersecurity firms (AVG, McAfee, Kaspersky, Avast), academic institutions (MIT), corporate platforms (Coca-Cola, MSN Portugal), and software providers (Firefox, Joomla). This pattern suggested deliberate targeting of entities with significant visibility or security prestige. The incident aligned with broader activities by Yemeni threat actors, including the Yemen Cyber Army’s May 2015 breach of Saudi Arabia’s Ministry of Foreign Affairs and subsequent leak of officials’ credentials. The defacement’s explicit political messaging framed it as a protest against U.S. foreign policy in Yemen, leveraging the global reach of Obama’s digital infrastructure to amplify grievances. No technical details regarding the exploitation vector or data exfiltration were disclosed in available reporting, and the operational impact on the social network’s functionality post-attack remained unverified. Historical vulnerabilities in the platform were underscored by its repeated targeting across distinct geopolitical contexts within a two-year period.