Which is why the u. S. Government launched an elaborate International Sting to nab viktor bout. What makes bout so dangerous . And how did d. E. A. Agents eventually grab him . The answers in our story later. [ticking] this is what espionage looks like. The man driving the car is Gregg Bergersen. Hes a civilian analyst at the pentagon with one of the nations highest security clearances. His companion is tai shen kuo, a spy for the peoples republic of china. Bergersen knew a secret that the chinese desperately wanted to know, and neither man knows that what theyre about to do is being recorded by two cameras the fbi has concealed in their car. Let you have the money. Oh, oh. Are you sure that thats okay . Yeah, its fine. Welcome to 60 minutes on cnbc. Im bob simon. In this edition, we turn our attention to some foreign intrigue. First, a story about a mysterious computer virus that struck an Iranian Nuclear plant. Later, the report of how american agents hunted a notorious arms dealer. And finally, an account of a chineseamerican spy trying to steal u. S. Military secrets for china. We begin with the story of stuxnet, a computer virus considered to be the worlds first destructive cyberweapon. It was launched several years ago against an Iranian Nuclear facility, almost certainly with some u. S. Involvement. But as steve kroft reported in march of 2012, the implications and possible consequences of this new kind of warfare are now being studied intensely. I do believe that the cyber threat will equal or surpass the threat from Counter Terrorism in the foreseeable future. Theres a strong likelihood that the next pearl harbor that we confront could very well be a cyber attack. We will suffer a catastrophic cyber attack. The clock is ticking. And theres reason for concern. For more than a decade, the u. S. Military establishment has treated cyberspace as a domain of conflict, where it would need the capability to fend off attack or launch its own. That time is here, because someone sabotaged a Top Secret Nuclear installation in iran with nothing more than a long string of computer code. We have entered into a new phase of conflict in which we use a cyberweapon to create physical destruction and, in this case, physical destruction in someone elses Critical Infrastructure. Few people know more about the dark military art of cyberwar than retired general Michael Hayden. Hes a former head of the National Security agency and was cia director under george w. Bush. He knows a lot more about the attack on iran than he can say here. This was a good idea, all right . But i also admit this was a really big idea too. The rest of the world is looking at this and saying, clearly, someone has legitimated this kind of activity as Acceptable International conduct. The whole world is watching. The story of what we know about the stuxnet virus begins in june of 2010, when it was first detected and isolated by a tiny company in belarus after one of its clients in iran complained about a software glitch. Within a month, a copy of the computer bug was being analyzed within a tightknit community of Computer Security experts, and it immediately grabbed the attention of liam o murchu, an Operations Manager for symantec, one of the largest Antivirus Companies in the world. As soon as we saw it, we knew it was something completely different, and red flags started to go up straightaway. To begin with, stuxnet was incredibly complicated and sophisticated, beyond the cutting edge. It had been out in the wild for a year without drawing anyones attention and seemed to spread by way of usb thumb drives, not over the internet. O murchus job was to try and unlock its secrets and assess the threat for symantecs clients by figuring out what the Malicious Software was engineered to do and who was behind it. How long was the stuxnet code . Youre talking tens of thousands of lines of code, a very, very long project, very well written, very professionally written, and very difficult to analyze. Unlike the millions of worms and viruses that turn up on the internet every year, this one was not trying to steal passwords, identities, or money. Stuxnet appeared to be crawling around the world, computer by computer, looking for some sort of industrial operation that was using a specific piece of equipment, a siemens s7300 Programmable Logic controller. This gray box here is essentially what runs factory floors. And you program this box to control your equipment. And you say, turn on the conveyor belt. Turn on the heater. Turn on the cooler. Shut the plant down. Its all contained in that box. And thats what stuxnet was looking for. It wanted to get its malicious code onto that box. The Programmable Logic controller, or plc, is one of the most critical pieces of technology youve never heard of. They contain circuitry and software essential for modern life and control the machines that run traffic lights, Assembly Lines, oil and gas pipelines, not to mention Water Treatment facilities, electric companies, and Nuclear Power plants. And that was very worrying to us cause we thought it couldve been a Water Treatment facility here in the u. S. , or it couldve been trying to take down electricity plants here in the u. S. The first breakthrough came when o murchu and his fiveman team discovered that stuxnet was programmed to collect information every time it infected a computer and to send it on to two websites in denmark and malaysia. Both had been registered with a stolen credit card, and the operators were nowhere to be found. But o murchu was able to monitor the communications. Well, the first thing we did was, we looked at where the infections were occurring in the world, and we mapped them out. And thats what we see here. We saw that 70 of the infections occurred in iran. Thats very unusual for malware that we see. We dont normally see high infections in iran. Please learn from stuxnet. Two months later, Ralph Langner, a german expert on industrial control systems, added another piece of Important Information stuxnet didnt attack every computer it infected. This whole virus is designed only to hit one specific target in the world. How could you tell that . It goes through a sequence of checks to actually determine if this is the right target. Its kind of a fingerprinting process, a process of probing if this is the target im looking for, and if not, it just leaves the controller alone. Stuxnet wasnt just looking for a siemens controller that ran a factory floor. It was looking for a specific factory floor, with a specific type and configuration of equipment, including iranian components that werent used anywhere else in the world and variable speed motors that might be used to regulate spinning centrifuges, a fragile piece of equipment essential to the enrichment of uranium. And langner speculated publicly that stuxnet was out to sabotage Irans Nuclear program. Well, we knew at this time that the highest number of infections had been reported in iran, and second, it was pretty clear, just by looking at the sophistication, that there would be at least one nationstate behind this. You know, you just add one and one together. By the fall of 2010, the consensus was that irans top secret uranium enrichment plant at natanz was the target and that stuxnet was a carefully constructed weapon designed to be carried into the plant on a corrupted laptop or thumb drive, then infect the system, disguise its presence, move through the network, changing computer code, and subtly alter the speed of the centrifuges without the iranians ever noticing. Sabotage by software. Stuxnets entire purpose is to control centrifuges, to make centrifuges speed up past what theyre meant to spin at and to damage them. Certainly it would damage the uranium enrichment facility, and they would need to be replaced. If the centrifuges were spinning too fast, wouldnt the operators at the plant know that . Stuxnet was able to prevent the operators from seeing that on their screen. The operators would look at the screen to see whats happening with the centrifuges, and they wouldnt see that anything bad was happening. [ticking] coming up, the danger of cyber warfare. You dont need many billions. You just need a couple of millions. And this would buy you a decent cyber attack, for example, against the u. S. Power grid. Thats next when 60 minutes on cnbc continues. [ male announcer ] what kind of energy is so abundant, it can help provide the power for all this . Natural gas. More than ever before, americas electricity is generated by it. Exxonmobil uses advanced visualization and Drilling Technologies to produce natural gas. Powering our lives. While reducing emissions by up to 60 . Energy lives here. It now seems likely that by the time liam o murchu and Ralph Langner finally unraveled the mystery in november of 2010, stuxnet had already accomplished at least part of its mission. Months before the virus was first detected, inspectors from the International AtomicEnergy Agency had begun to notice that iran was having Serious Problems with its centrifuges at natanz. What we know is that an iaea report said that 1,000 to 2,000 centrifuges were removed from natanz for unknown reasons. And we know that stuxnet targets 1,000 centrifuges. So from that, people are drawn to the conclusion, well, stuxnet got in and succeeded. Thats the only evidence that we have. The only information thats not classified. Yes. And there are lots of things about stuxnet that are still top secret. Who was behind it . What we do know is that this was a very large operation. Youre really looking at a Government Agency from some country who is politically motivated and who has the Insider Information from a uranium enrichment facility that would facilitate building a threat like this. An intelligence agency, probably. Probably. We know from reverse engineering the attack codes that the attackers have full and i mean this literally full tactical knowledge of every damn detail of this plant. So you could say, in a way, they know the plant better than the iranian operator. We wanted to know what retired general Michael Hayden had to say about all this, since he was the cia director at the time stuxnet would have been developed. You left the cia in 2009 . 2009, right. Does it surprise you that this happened . You need to separate my experience at cia with your question, all right . Right. You cant talk about the cia. No, and i dont even want to suggest what may have been on the horizon or not on the horizon, or anything like that. Right. If you look at the countries that have the capability of designing Something Like stuxnet and you take a look at the countries that would have a motive for trying to destroy natanz where do those two sets intersect . Youre pretty much left with the United States and israel. Well, yes, but there is no good with someone of my background even speculating on that question, so i wont. Irans president , mahmoud ahmadinejad, shown here at natanz in 2008, blamed the cyber attack on enemies of the state and downplayed the damage. Both the u. S. And israel maintain that it set back the Iranian Program by several years. Whats impossible to know is how much damage the attackers might have inflicted if the virus had gone undetected and not been exposed by Computer Security companies trying to protect their customers. They planned to stay in that plant for many years and to do the whole attack in a completely covert manner, that anytime a centrifuge would break, the operators would think, this is, again, a technical problem that we have experienced, for example, because of poor quality of these centrifuges that we are using. We had a good idea that this was a blown operation, something that was never meant to be seen. It was never meant to come to the publics attention. You say blown, meaning . If youre running an operation like this to sabotage a uranium enrichment facility, you dont want the code uncovered. You want it kept secret, and you want it just to keep working, stay undercover, do its damage and disappear, and hopefully nobody would ever see it. Do you think this was a blown operation . No, not at all. I think its an incredibly sophisticated operation. But general hayden did acknowledge that there are all sorts of potential problems and possible consequences that come with this new form of warfare. When you use a physical weapon, it destroys itself, in addition to the target, if its used properly. A cyberweapon doesnt. So there are those out there who can take a look at this, study it, and maybe even attempt to turn it to their own purposes. Such as launching a cyber attack against Critical Infrastructure here in the United States. Until the fall of 2011, sean mcgurk was in charge of protecting it, as head of Cyber Defense at the department of Homeland Security. He believes that stuxnet has given countries like russia and china, not to mention terrorist groups and gangs of cybercriminals for hire, a textbook on how to attack key u. S. Installations. You can download the actual source code of stuxnet now and you can repurpose it and repackage it and then, you know, point it back towards wherever it came from. Sounds a little bit like pandoras box. Yes. Whoever launched this attack they opened up the box. They demonstrated the capability. They showed the ability and the desire to do so, and its not something that can be put back. If somebody in the government had come to you and said, look, were thinking about doing this. What do you think . What would you have told them . I would have strongly cautioned them against it because of the unintended consequences of releasing such a code. Meaning that other people could use it against you . Yes. Or use their own version of the code. Something similar. Son of stuxnet, if you will. As a result, what was once abstract theory has now become a distinct possibility. If you can do this to an uranium enrichment plant, why couldnt you do it to a Nuclear Power reactor in the United States or an Electric Company . You could do that to those facilities. Its not easy. Its a difficult task, and thats why stuxnet was so sophisticated, but it could be done. You dont need many billions. You just need a couple of millions. And this would buy you a decent cyber attack, for example, against the u. S. Power grid. If you were a terrorist group or a failed nationstate and you had a couple of million dollars, where would you go to find the people that knew how to do this . On the internet. Theyre out there . Sure. Most of the nations Critical Infrastructure is privately owned and extremely vulnerable to a highly sophisticated cyberweapon like stuxnet. I cant think of another area in Homeland Security where the threat is greater and weve done less. After several failures, congress is once again trying to pass the nations first cybersecurity law. And once again, there is fierce debate over whether the federal government should be allowed to require the owners of Critical Infrastructure to improve the security of their computer networks. Whatever the outcome, no one can say the nation hasnt been warned. Since the story first aired, new information about stuxnet has been revealed. According to the new york times, stuxnet was part of a secret u. S. Israeli operation hatched during the Bush Administration and accelerated under president obama. According to the report, the operation was codenamed olympic games. [ticking] coming up american agents track the worlds most notorious arms dealer. Hes arming not only designated terrorist groups, insurgent groups, but hes also arming very powerful Drug Trafficking cartels around the globe. The merchant of death, when 60 minutes on cnbc returns. [ticking] [ male announcer ] a car that is able to see, to calculate, to think and can respond to what it encounters. Even if that means completely stopping itself. Its the stuff of science fiction. Minus the fiction. The 2014 eclass. See your authorized dealer for exceptional offers through mercedesbenz financial services. Customizable charts, powerful screening tools, and guaranteed onesecond trades. And at the center of it all is a surprisingly low price just 7. 95. In fact, fidelity gives you lower trade commissions than schwab, td ameritrade, and etrade. Im monica santiago of fidelity investments, and low fees and commissions are another reason serious investors are choosing fidelity. Call or click to open your fidelity account today. [ticking] viktor bout was an illusive International Arms dealer known to Law Enforcement officials as the merchant of death. According to the d. E. A. , he sold weapons to insurgent groups, terrorists, and warring factions around the world. Bout was thought to be uncatchable, but as cbs news correspondent Armen Keteyian reported in 2010, that didnt stop the d. E. A. From trying. Viktor bout, in my eyes, is one of the most dangerous men on the face of the earth. On the face of the earth . Without a doubt. Mi