CERT-UA: New UAC-0057 Toolkit and Countermeasures

Ukraine’s cyberspace remains a constant battleground. Today, June 6th, CERT-UA issued a warning highlighting new tooling employed by the UAC-0057 group. This arsenal, comprising OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES, signifies an evolution in threats and necessitates enhanced cybersecurity measures for Ukrainian organizations. This is particularly crucial for those operating critical infrastructure or engaging with European partners, as it demands the implementation of comprehensive incident response and risk management processes aligned with NIS2 directive requirements.

New Threat: UAC-0057 Toolset

According to CERT-UA’s advisory, the UAC-0057 group is actively utilizing a new suite of malicious software: OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES. These tools are designed for multi-stage attacks aimed at system compromise and the exfiltration of sensitive data.

• OYSTERFRESH: Typically serves as the initial entry vector. It is delivered via phishing emails or malicious websites, disguised as legitimate software or updates. Its primary function is to establish initial access and download additional components.
• OYSTERSHUCK: Following successful infiltration by OYSTERFRESH, OYSTERSHUCK is activated. This tool is designed to escalate privileges within the compromised system, move laterally across the network, and gather intelligence. It can employ various techniques, from exploiting vulnerabilities to credential theft, to gain control over other network nodes.
• OYSTERBLUES: The final stage of the attack involves OYSTERBLUES, which is responsible for maintaining persistence within the system, establishing command-and-control (C2) communication channels, and exfiltrating data. This component ensures long-term access for attackers to the target infrastructure, allowing them to steal information or conduct further destructive actions.

Overall, this toolset indicates a high level of preparation and targeted intent by UAC-0057, making it particularly dangerous for organizations with underdeveloped cyber defense systems.

Cyber Threat Landscape: Phishing, Telecom Fraud, and Preparedness

The emergence of the new UAC-0057 toolset occurs against the backdrop of an increasingly complex global cyber threat landscape. It is important to understand the broader context in which such groups operate.

• Phishing as a Leading Vector: According to the ENISA Threat Landscape 2025, phishing remains the leading initial access vector. This confirms that social engineering is an effective method for bypassing technical security controls. Tools like OYSTERFRESH often rely on this method for initial penetration.
• Risks to Mobile Networks: The same ENISA Threat Landscape 2025 report identifies the exploitation of legacy SS7 and Diameter signaling protocols as a significant risk to mobile networks. This is particularly relevant for telecommunications companies that are part of critical infrastructure.
• Global Telecom Fraud Losses: The CFCA Global Fraud Loss Survey 2025 estimates global telecom fraud losses in 2025 at approximately $41.82 billion. Of this, around $5.31 billion is attributed to subscription fraud, which is based on a real or stolen identity. This underscores the financial motivations of cybercriminals and the importance of protecting identity data.
• Cybersecurity Readiness: The Cisco Cybersecurity Readiness Index 2025, based on a survey of 8,000 cybersecurity leaders across 30 markets, found that organizations assess their readiness across five key areas, including AI Fortification. This indicates a growing awareness of the need to leverage AI for defense.

Business Risks: Why NIS2 Compliance is Mandatory for Ukrainian Companies

For Ukrainian companies, especially those integrated into European supply chains or operating in critical infrastructure sectors, compliance with the NIS2 Directive (Network and Information Systems Directive 2) is a mandatory requirement. This directive also extends to companies providing services or operating within the European Union, even if their primary operations are outside the EU.

Non-compliance with NIS2 carries significant business risks:

• Fines: The directive mandates substantial fines for cybersecurity violations. For ‘essential entities,’ this can be up to €10 million or 2% of annual global turnover, whichever is greater. For ‘important entities,’ it can be up to €7 million or 1.4% of annual global turnover.
• Loss of Contracts and Reputation: Failure to demonstrate NIS2 compliance can lead to the loss of existing contracts with European clients and the inability to secure new ones. Reputational damage from incidents occurring due to non-compliance can be long-lasting.
• Operational Disruptions: The absence of adequate cybersecurity measures, as required by NIS2, increases the likelihood of successful cyberattacks, leading to downtime, data loss, and other operational disruptions.

NIS2 requires companies to implement comprehensive measures, including risk management, incident response (with mandatory reporting within 24 hours of a significant incident and 72 hours for updates), business continuity, supply chain security, and the use of cryptography.

Common Pitfall: SIEM Without an Incident Response Process

One of the most common mistakes is investing in SIEM (Security Information and Event Management) systems without properly implementing incident response (IR) processes and establishing a qualified Security Operations Center (SOC) team. A SIEM system itself is merely a tool for collecting, aggregating, and correlating logs. It generates alerts but does not act on them.

In practice, this means a company spends money on SIEM licenses and implementation but fails to invest in:

• Developing IR Playbooks: Clear, step-by-step instructions on what to do when a specific type of attack is detected.
• Staff Training: Personnel working with the SIEM lack the necessary skills for alert analysis and incident investigation.
• Establishing a SOC Team: Often, SOC functions are assigned to existing IT specialists who are already overloaded with daily tasks and lack sufficient time or expertise for round-the-clock monitoring.
• Integration with Other Systems: The SIEM operates in isolation, not integrated with Identity and Access Management (IAM), Vulnerability Management, or Security Orchestration, Automation, and Response (SOAR) systems.

The result is a system that generates thousands of alerts that go unnoticed or are responded to too slowly. In the case of the UAC-0057 attack, which uses a multi-stage toolset, a delay in responding to an initial alert from OYSTERFRESH can give attackers enough time to deploy OYSTERSHUCK and OYSTERBLUES, leading to complete system compromise.

Operational Scenario: Securing a National-Scale Bank

Let’s consider an operational scenario for a national-scale bank facing an attack similar to one employing the UAC-0057 toolset. The bank manages millions of accounts, processes large volumes of financial transactions, and is subject to stringent regulatory requirements, including PCI DSS, ISO/IEC 27001, and, given its international operations, NIS2.

Initial Conditions:

• The bank has a distributed infrastructure: central office, dozens of branches, data centers, and cloud services.
• A SIEM system is in place, but its integration with response processes is not perfect.
• Personnel regularly undergo cybersecurity hygiene training, but the risk of human error remains.

Attack Scenario:

1. Initial Compromise (OYSTERFRESH): A bank employee receives a phishing email impersonating a regulatory body. The email contains a link to a malicious document that installs OYSTERFRESH on their workstation.
2. Privilege Escalation (OYSTERSHUCK): OYSTERFRESH grants attackers initial access. By exploiting a vulnerability in legacy software or using stolen credentials, OYSTERSHUCK begins lateral movement across the network, searching for access to internal servers containing customer data.
3. Data Exfiltration (OYSTERBLUES): After gaining access to critical systems, OYSTERBLUES establishes a persistent C2 communication channel and begins exfiltrating data: account information, transaction details, and internal financial reports.

Consequences Without Proper Response:

• Financial Losses: Direct losses from fraudulent transactions or ransom.
• Reputational Damage: Loss of customer trust, potentially leading to capital flight.
• Regulatory Penalties: For violations of PCI DSS, ISO/IEC 27001, and NIS2.
• Legal Repercussions: Lawsuits from customers and regulators.

Effective defense in such a scenario requires not only technical means but also mature processes: 24/7 monitoring, rapid anomaly detection in the SIEM, immediate engagement of the SOC team operating under clear IR playbooks, isolation of compromised systems, and service restoration. A delay of a few hours can cost millions.

CERT-UA Recommendations and Practical Countermeasures

CERT-UA provides specific recommendations for countering the UAC-0057 toolset. These recommendations, combined with general cybersecurity practices and NIS2 requirements, form a comprehensive defense approach.

Practical Steps to Enhance Cybersecurity:

1. Strengthen Phishing Defenses: Implement multi-factor authentication (MFA), and conduct regular employee training on recognizing phishing emails and social engineering tactics. Utilize modern solutions for email filtering and web browser protection.
2. Vulnerability Management and Patching: Regularly scan systems for vulnerabilities and promptly install security updates. This is critical for preventing the exploitation of known vulnerabilities that OYSTERSHUCK might use.
3. Anomaly Detection and Monitoring: Effectively use SIEM systems to collect and analyze logs from all critical systems. Configure correlation rules to detect signs of OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES activity, such as anomalous account behavior or unusual network traffic.
4. Network Segmentation: Divide the corporate network into logical segments to limit lateral movement by attackers in case of a single segment compromise.
5. Backup and Recovery Plan: Regularly create backups of critical data and develop a detailed incident recovery plan.
6. Incident Response (IR): Develop and regularly test IR playbooks. Establish or engage a qualified SOC team capable of 24/7 monitoring, detection, and response to incidents in accordance with NIS2 reporting timelines (24/72 hours).
7. Supply Chain Security: Assess cybersecurity risks for all vendors and partners who have access to your infrastructure or data. This is a key NIS2 requirement.
8. Penetration Testing and Red Teaming: Conduct regular penetration tests and Red Teaming exercises to evaluate the effectiveness of existing security measures and identify weaknesses.

Readiness Checklist for Countering UAC-0057 and NIS2 Compliance

• Are SIEM correlation rules configured to detect specific Indicators of Compromise (IoCs) related to OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES?
• Are IR playbooks developed and tested for scenarios involving phishing followed by lateral movement?
• Is the supply chain risk management process formalized in accordance with NIS2 requirements?
• Does the employee training program include phishing simulation attacks with results analysis?
• Is the SIEM system integrated with other solutions (SOAR, IAM) to accelerate response times?
• Are scenarios similar to UAC-0057 attacks included in the regular penetration testing program?
• Is 24/7 monitoring ensured, and are responsible parties designated to meet NIS2 reporting deadlines (24/72 hours)?