Wired has a fascinating in-depth look at what went into unraveling the mysteries of Stuxnet, sophisticated malware that based on the best available evidence was directed specifically at an Iranian nuclear plant.
Headlined "How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History," the story is very long but well worth the read. Here's one snippet dealing with the realization on the part of the "detectives" that the author of Stuxnet was likely a government - the United States and/or Israel - as opposed to your garden variety cybercriminals:
The sophistication of the code, plus the fraudulent certificates, and now Iran at the center of the fallout made it look like Stuxnet could be the work of a government cyberarmy - maybe even a United States cyberarmy.
This made Symantec's sinkhole an audacious move. In intercepting data the attackers were expecting to receive, the researchers risked tampering with a covert U.S. government operation. Asked recently if they were concerned about this, (Symantec's Eric) Chien replied, "For us there's no good guys or bad guys." Then he paused to reconsider. "Well, bad guys are people who are writing malicious code that infects systems that can cause unintended consequences or intended consequences."
Whether the "bad guy" was the United States or one of its allies, the attack was causing collateral damage to thousands of systems, and Symantec felt no patriotic duty to preserve its activity. "We're not beholden to a nation," Chien said. "We're a multinational, private company protecting customers."
Bet it wasn't seen quite that simply by Stuxnet's masters.