In a statement sent to Defence Connect, a spokesperson from the ACSC said the information stolen by an unknown cyber thief was commercially sensitive but not classified.
“While presenting at a conference in Sydney, an ASD official (who works for the ACSC) disclosed information about the theft of data from an Australian company," the statement said.
“While the Australian company is a national-security linked contractor and the information disclosed was commercially sensitive, it was unclassified. The government does not intend to discuss further the details of this cyber incident."
The hack included information on the F-35 Joint Strike Fighter, C130 Hercules aircraft, the P-8 Poseidon surveillance aircraft and Australian Navy vessels.
Minister for Defence Industry Christopher Pyne said the government is unsure of the identity of the hacker and whether they are state or non-state actor.
"I don't know who did it ... it could be one of a number of different actors. It could be a state actor, a non-state actor," Minister Pyne told ABC radio on Thursday.
"It could be someone who was working for another company."
The presentation by the ASD official in Sydney revealed the hacker had minimal trouble gaining access to the information, explaining that, while the defence contractor's network was small and vulnerable to threats, the ASD investigation found that its internet-facing services still had their default passwords, admin::admin and guest::guest.
The company, which had only one IT person, was subcontracted four levels down from defence contracts.