The Ukrainian government’s Computer Emergency Response Team, CERT-UA, issued a warning on May 21st of this year regarding an updated toolkit used by the cyber group UAC-0057. This group is actively employing new malware, OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES, in phishing campaigns targeting Ukrainian public organizations, as detailed in a CERT-UA report. This event once again underscores the continuous evolution of cyber threats and the necessity for the public sector to reassess its cybersecurity strategies.
The overall level of cyber threats in Ukraine remains high. Although no critical cyber incidents were recorded in the second half of 2025, and the number of low-level incidents decreased by 87%, the general trend is concerning. Throughout 2025, CERT-UA processed nearly 6,000 cyber incidents, a 37.4% increase compared to 2024, when 4,315 incidents were recorded, according to data from cip.gov.ua. This rise in incident volume, even with a decrease in criticality, indicates persistent pressure on state systems and the need for adaptive defense strategies.
New cyber threats from UAC-0057: challenges for public organizations
The cyber group UAC-0057 is known for its targeted approach and adaptability. The emergence of new tools like OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES signifies their efforts to bypass existing defense mechanisms. These programs are likely designed to perform specific tasks within phishing campaigns, enabling attackers to gain initial access, establish persistence within networks, and exfiltrate sensitive data.
For public organizations, this means that current threat detection systems and antivirus solutions may not be sufficiently effective against these new, previously unknown signatures. It is crucial not only to update threat databases but also to implement proactive defense mechanisms based on behavioral analysis, rather than solely relying on signatures.
Phishing as a leading attack vector: why basic measures are insufficient
Phishing continues to be the leading vector for initial access into systems, as noted by ENISA in its Threat Landscape report. This is corroborated by CERT-UA’s warning regarding UAC-0057. Its ease of implementation and high effectiveness make phishing an attractive tool for attackers. The human factor often proves to be the weakest link in the cybersecurity chain.
Basic measures, such as personnel training and standard spam filters, no longer provide an adequate level of protection. Modern phishing attacks are becoming increasingly sophisticated, employing elements of social engineering, masquerading as legitimate communications, and utilizing complex technical tricks to bypass filters. Effective phishing countermeasures require a comprehensive approach that includes multi-layered technical filtering, continuous personnel training with real-world attack simulations, and rapid response to detected threats.
A common mistake: compliance as an illusion of security
Many public organizations focus on achieving compliance with cybersecurity standards like ISO/IEC 27001 or national cybersecurity requirements. While this is an important step, compliance alone does not guarantee actual security. CISA describes Cross-Sector Cybersecurity Performance Goals as foundational cybersecurity practices for critical infrastructure with a known value in risk reduction. However, foundational practices are merely a starting point.
The common mistake is that organizations perceive compliance as the end goal rather than a minimally required condition. In practice, this leads to a formalistic approach where documentation and procedures exist but do not always reflect the actual state of affairs or are not adapted to new threats. Cybersecurity is a continuous process that demands constant risk assessment, monitoring, and improvement, extending beyond formal requirements.
Architectural example: integrating cybersecurity into operational processes
To achieve true resilience, cybersecurity must be integrated directly into operational processes and information system architecture. Consider this example: instead of separate, disparate security systems, an organization can implement a Zero Trust architecture.
In a typical Zero Trust architecture, every request to access resources (data, applications, network segments) undergoes full authentication and authorization, regardless of whether it originates from within the network or externally. This includes:
- Network micro-segmentation: Dividing the network into small, isolated segments to limit the lateral spread of threats.
- Multi-factor authentication (MFA): Mandatory for all users and devices, significantly complicating unauthorized access.
- Continuous monitoring and behavioral analysis: SIEM and UEBA systems constantly analyze user and system activity, identifying anomalies that may indicate compromise. For instance, if an employee who typically works with documents suddenly starts accessing critical databases from an unusual IP, it could be an indicator of an attack.
- Automated incident response: Integration of security systems allows for automatic blocking of suspicious activity, isolation of compromised nodes, and notification of responsible personnel.
This approach allows for not only the detection of new threats like OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES but also for minimizing their potential impact, even if they successfully bypass initial filters.
Practical steps towards real resilience: from basic to proactive
Transitioning from a basic security level to proactive defense requires systemic changes. This is not a one-time implementation but a continuous evolution of processes and technologies. To achieve this, it’s worth verifying the presence of key components.
Proactive cybersecurity checklist for public organizations
- Is centralized log collection and analysis (SIEM) implemented for prompt anomaly detection?
- Are clearly defined and tested incident response (IR) procedures in place, adhering to regulatory timelines (24/72 hours)?
- Are regular penetration tests (pentest) and attack simulations (red teaming) conducted to assess actual system resilience?
- Is there a supply chain security risk management policy for critical services and software?
- Are Zero Trust principles utilized, specifically micro-segmentation and dynamic access policies based on context (device, location, behavior)?
- Are phishing simulations conducted for personnel in addition to standard training?
- Is an adequate level of cryptographic protection ensured for sensitive data, both at rest and in transit?
Implementing these steps will enable public organizations not just to meet minimum requirements but to build a deeply layered defense capable of effectively countering constantly evolving threats, such as the new tools from UAC-0057.