The hackers, who go by the group name 'm0sted', breached a server at the army's McAlester Ammunition Plant in Oklahoma on 26 January and a server at the US Army Corps of Engineers' Transatlantic Center in Winchester, Virginia, on 19 September, 2007, the report said.
Investigators believe an SQL injection attack was used to exploit a vulnerability in Microsoft's SQL Server database in order to gain access to the servers.
See Also: Mysterious virus strikes FBI
It is unclear whether any sensitive information was accessed, according to the report.
Search warrants have been served on Microsoft, Yahoo, Google and other ISPs and email providers, while a criminal investigation is underway at the Defense Department, the US Army's Judge Advocate General's Office, and the Computer Emergency Response Team, InformationWeek reported.
The same group defaced the United Nations website in 2007, also using a SQL injection attack.
This article was originally posted on CNET News.