The attackers are claimed to have planted files on a Web server that redirected traffic to an online video site, the ABC claims.
The breach came to the organisation's notice through a report by the state's audit office which, however, did not name the company concerned.
Sunwater has made no public comment about the incident. But it told the ABC that it took cyber security very seriously and that no financial or customer data had been pilfered.
The audit report said, in part: "A cyber breach (between August 2020 and May 2021) resulting in unauthorised access to an entity’s Web server was identified during the year.
"Threat actors (those conducting malicious activities against entities) targeted an older and more vulnerable version of the system.
"The Web server that stores customer information contained suspicious files that increased visitor traffic to an online video platform.
"This did not result in lost customer or financial information. The entity implemented a number of measures to address the breach, including updating software, using stronger password practices, and monitoring incoming and outgoing network traffic."
Commenting on the breach, Andrew Kay, director of Systems Engineering at sec firm Illumio, said: "Attackers going undetected for months sounds exceptional, but [this] is quickly becoming the norm.
"What were smash-and-grab tactics of yesteryear are constantly evolving into more sophisticated operations, with attackers finding a foothold in a network and then using that to branch out to other systems.
"Flying under the radar or 'living off the land' to mask from traditional detection and response mechanisms allows for such dwell times and the opportunity for significant damage. What hasn't changed is the targets: critical infrastructure like Sunwater have always presented a high-value target for attackers.
"The story here is typical: a legacy, more vulnerable system was targeted first. Whilst no critical data was stolen in this instance, with the attackers simply redirecting Web traffic, perhaps a more sophisticated bad actor would have exploited the weakness further.
"The solution to attacks like these isn't to pretend that we will be able to keep every single attack out of the network every time – it's simply no longer possible.
"We must move towards Zero Trust strategies, segmenting crucial data (like customer details) and implementing least privilege throughout the network so that attackers face additional barriers should they find a single weakness in the perimeter."