The subcontractor was reportedly a "small Australian company with contracting links to national security projects", and the hacker had been present in its systems from July 2016.
He would not comment who might be behind the breach, only stating that the government was spending billions of dollars on cyber security.
Australian Signals Directorate incident response manager Mitchell Clarke, as ZDNet first reported, told the Australian Information Security Association conference in Sydney on Wednesday that "a significant amount of data was stolen".
ASD when they investigated the hack found a China Chopper remote shell, a backdoor commonly used by Chinese hackers, and Clarke said that ASD found that the Alf hacker had been attempting to use this exploit on a number of Australian IT companies.
The federal government has admitted it still doesn't know who managed to hack top secret technical information about new fighter jet and navy vessels a year ago.
"It included information on the (F-35) Joint Strike Fighter, C130 (Hercules aircraft), the P-8 Poseidon (surveillance aircraft), joint direct attack munition (JDAM smart bomb kits) and a few naval vessels".
The admin password, to enter the company's web portal, was "admin" and the guest password was "guest".
Another document was a wireframe diagram of one of the Australian navy's new ships, where a viewer could "zoom in down to the captain's chair".
The hack was discovered by a major Defence contractor.
"It could have been a state actor, it could have been cyber criminals, and that's why it was taken so seriously", he said.
Minister for Defence Industry Christopher Pyne said the government is unsure of the identity of the hacker and whether they are state or non-state actor.
The aerospace engineering firm in question had an IT department consisting of just one person who had been working there for nine months.
Mr Tehan said it was unclear who launched the incursion, but the Government was not ruling out a foreign government.
Dan Tehan, the minister in charge of cyber security, on Tuesday confirmed the hacking of an unnamed contractor.
A spokesman for the Australian Cyber Security Centre (ACSC), a government agency, said the government would not release further details about the cyber attack.
"Fortunately, the data that was taken was commercial data, not military data, but it is still very serious and we will get to the bottom of it".