Stuxnet is what it is. Its an exploit aimed at Windows based systems which automatically runs when inserted into a machine. Nothing more than a "USB Switchblade." It made everyone go "gaga" because of the use of "0days" and many didn't and STILL don't understand that this isn't very uncommon.
1) I create an application capable of autorunning and bypassing Antivirus, IPS, etc.
(Social Engineering Toolkit can provide me with this capability)
2) a few weeks go on and I upload and add what I want to make my application more covert, more effective
3) Few more weeks pass and I add and modify more capabilities undetected
4) OMG my application is discovered
Because of 1 - 3, there isi no way for someone to make conclusively make a statement that I created Application X with N amount of 0days. The fact is, I could have loaded up a browser cocktail, infected a network, came back as time progressed and uploaded whatever I want. Because researchers came in at number 4, they concluded: "OMG so many 0days" when the reality is:
a) Its command and control - no one is sure how it was initially developed. It could have started out as a client side that was modified later on.
b) the so called "0-days" weren't even 0days. They were talked about on "many-a-full-disclosure" list for some time.
There is a difference between a "never seen before" attack vector and a security release that states "no known exploits." Sure there are no KNOWN exploits, but there is a visible problem that the security community knows about. For example, my moronic mushroomcloud attack. Completely toasts VMWare thanks to Trend Micro. The code has not been made public - this does not mean it isn't exploitable.
When you state "there appears to be no risk of a nuclear fallout" it all depends on whom you ask. Were you to believe Symantec's rendition of Stuxnet, a nuclear facility will keep running and running regardless of the safety mechanisms. This could and most likely WOULD lead to catastrophe. If you think spilled Uranium - whether enriched or not - is not serious, I suggest you read more about it (Uranium). Just because they don't have "weapons grade" Uranium doesn't minimize the threat from a fallout.
Now, when you read what was delivered via the CSFI report, you read what has been sanitized, scrubbed and made into a structured report. There was and is a lot I can't talk about and there is a vast "raise of the eyebrows" a-la "wait a minute" that went/and is going on. Destabilization is one way to put it althought ATTRIBUTION is key here... :
Would you say this incident "destabilized" this company? Who can we attribute it to? In the case of Stuxnet we have to look at what is involved in something of a "nation-state" program like this. Millions of dollars on what? A silver bullet that won't fire? It would be a tremendous loss of money period.
Research into something like this from "the pros" would have NOT used some of the payloads used in Stuxnet. For example, the attackers targeted the MS08-067 vulnerability yet many "hackers" know that this is an unstable target. Its likely to blue-screen. Would YOU as a director of some nation state program say: "Alright, so we've invested N amount of money to infiltrate this network covertly, what do you say we use this exploit that is known to bluescreen systems eh?"
Aside from that, there is other information that actually points to a few individuals capable of carrying something like this out. None have ties to "Israel" or some other government, yet they do/did have ties to RBN companies - and that's all I will/can say. This is fact - although because of NDA I cannot repost nor comment more on that statement. So we have a few distinct views alongside backchannel talks about "whodunnit." At the end of the day... Unless someone is arrested and comes clean, it's all speculatory