CANBERRA, Australia—A cyberattacker nicknamed “Alf” gained access to an Australian defense contractor’s computers and began a four-month raid that snared data on sophisticated U.S. weapons systems.

Using the simple combinations of login names and passwords “admin; admin” and “guest; guest” and exploiting a vulnerability in the company’s help-desk portal, the attacker roved the firm’s network for four months. The Australian military referred to the breach as “Alf’s Mystery Happy Fun Time,” referring to a character from the...