From compliance to proactive cybersecurity for the public sector

CERT-UA warns of the activation of UAC-0057 with new tools OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES, requiring public organizations to strengthen their cyber defenses.

The Ukrainian government’s Computer Emergency Response Team, CERT-UA, issued a warning on May 21st of this year regarding an updated toolkit used by the cyber group UAC-0057. This group is actively employing new malware, OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES, in phishing campaigns targeting Ukrainian public organizations, as detailed in a CERT-UA report. This event once again underscores the continuous evolution of cyber threats and the necessity for the public sector to reassess its cybersecurity strategies.

The overall level of cyber threats in Ukraine remains high. Although no critical cyber incidents were recorded in the second half of 2025, and the number of low-level incidents decreased by 87%, the general trend is concerning. Throughout 2025, CERT-UA processed nearly 6,000 cyber incidents, a 37.4% increase compared to 2024, when 4,315 incidents were recorded, according to data from cip.gov.ua. This rise in incident volume, even with a decrease in criticality, indicates persistent pressure on state systems and the need for adaptive defense strategies.

New cyber threats from UAC-0057: challenges for public organizations

The cyber group UAC-0057 is known for its targeted approach and adaptability. The emergence of new tools like OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES signifies their efforts to bypass existing defense mechanisms. These programs are likely designed to perform specific tasks within phishing campaigns, enabling attackers to gain initial access, establish persistence within networks, and exfiltrate sensitive data.

For public organizations, this means that current threat detection systems and antivirus solutions may not be sufficiently effective against these new, previously unknown signatures. It is crucial not only to update threat databases but also to implement proactive defense mechanisms based on behavioral analysis, rather than solely relying on signatures.

Phishing as a leading attack vector: why basic measures are insufficient

Phishing continues to be the leading vector for initial access into systems, as noted by ENISA in its Threat Landscape report. This is corroborated by CERT-UA’s warning regarding UAC-0057. Its ease of implementation and high effectiveness make phishing an attractive tool for attackers. The human factor often proves to be the weakest link in the cybersecurity chain.

Basic measures, such as personnel training and standard spam filters, no longer provide an adequate level of protection. Modern phishing attacks are becoming increasingly sophisticated, employing elements of social engineering, masquerading as legitimate communications, and utilizing complex technical tricks to bypass filters. Effective phishing countermeasures require a comprehensive approach that includes multi-layered technical filtering, continuous personnel training with real-world attack simulations, and rapid response to detected threats.

Expert comment
Anton Marrero Co-founder of Softline, Member of the Supervisory Board, Intecracy Group

In projects of this class, where the focus is on compliance with standards, a trap often arises. In practice, compliance itself, for example, with ISO 27001 requirements, does not guarantee real resilience if proper incident response processes are not implemented. A typical failure is having a certificate but lacking clear procedures for analyzing SIEM system logs and automatically isolating compromised nodes.

A common mistake: compliance as an illusion of security

Many public organizations focus on achieving compliance with cybersecurity standards like ISO/IEC 27001 or national cybersecurity requirements. While this is an important step, compliance alone does not guarantee actual security. CISA describes Cross-Sector Cybersecurity Performance Goals as foundational cybersecurity practices for critical infrastructure with a known value in risk reduction. However, foundational practices are merely a starting point.

The common mistake is that organizations perceive compliance as the end goal rather than a minimally required condition. In practice, this leads to a formalistic approach where documentation and procedures exist but do not always reflect the actual state of affairs or are not adapted to new threats. Cybersecurity is a continuous process that demands constant risk assessment, monitoring, and improvement, extending beyond formal requirements.

Architectural example: integrating cybersecurity into operational processes

To achieve true resilience, cybersecurity must be integrated directly into operational processes and information system architecture. Consider this example: instead of separate, disparate security systems, an organization can implement a Zero Trust architecture.

In a typical Zero Trust architecture, every request to access resources (data, applications, network segments) undergoes full authentication and authorization, regardless of whether it originates from within the network or externally. This includes:

  • Network micro-segmentation: Dividing the network into small, isolated segments to limit the lateral spread of threats.
  • Multi-factor authentication (MFA): Mandatory for all users and devices, significantly complicating unauthorized access.
  • Continuous monitoring and behavioral analysis: SIEM and UEBA systems constantly analyze user and system activity, identifying anomalies that may indicate compromise. For instance, if an employee who typically works with documents suddenly starts accessing critical databases from an unusual IP, it could be an indicator of an attack.
  • Automated incident response: Integration of security systems allows for automatic blocking of suspicious activity, isolation of compromised nodes, and notification of responsible personnel.

This approach allows for not only the detection of new threats like OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES but also for minimizing their potential impact, even if they successfully bypass initial filters.

Practical steps towards real resilience: from basic to proactive

Transitioning from a basic security level to proactive defense requires systemic changes. This is not a one-time implementation but a continuous evolution of processes and technologies. To achieve this, it’s worth verifying the presence of key components.

Proactive cybersecurity checklist for public organizations

  • Is centralized log collection and analysis (SIEM) implemented for prompt anomaly detection?
  • Are clearly defined and tested incident response (IR) procedures in place, adhering to regulatory timelines (24/72 hours)?
  • Are regular penetration tests (pentest) and attack simulations (red teaming) conducted to assess actual system resilience?
  • Is there a supply chain security risk management policy for critical services and software?
  • Are Zero Trust principles utilized, specifically micro-segmentation and dynamic access policies based on context (device, location, behavior)?
  • Are phishing simulations conducted for personnel in addition to standard training?
  • Is an adequate level of cryptographic protection ensured for sensitive data, both at rest and in transit?

Implementing these steps will enable public organizations not just to meet minimum requirements but to build a deeply layered defense capable of effectively countering constantly evolving threats, such as the new tools from UAC-0057.

Frequently asked questions
What are the new cyber threats to Ukrainian public organizations from UAC-0057?

The UAC-0057 group is using new malware, OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES, in phishing campaigns targeting Ukrainian public institutions, as warned by CERT-UA.

Why does phishing remain an effective attack vector?

Phishing is effective due to its simplicity, use of social engineering, and ability to bypass basic filters, making the human factor vulnerable despite standard protective measures.

How can real cybersecurity be ensured, not just compliance with standards?

Real cybersecurity requires a proactive approach, including integrating defense into operational processes, continuous monitoring, regular penetration testing, supply chain risk management, and ongoing personnel training, going beyond formal compliance with standards.

Data sources