It’s hard to believe this network was not air-gapped.
I have done a lot of work on networks for defense companies, and they were always air-gapped, by regulation and by government contract.
The whole friggin network, not just the classified portions.
It’s the rule, not the exception.
Whoever this contractor is should never receive another defense contract. They were most certainly in violation of the one which they held up until now.
Nothing officially classified was on the affected intranet network AFAIK. It would be a huge violation if otherwise.
Contractor unclassified networks typically contain competition sensitive and ITAR information, and they interconnect with the Internet via firewalls. This is how it works for business reasons, and I wouldn’t expect it to change unless the classification umbrella is enlarged to take in millions or billions of documents which were previously unclassified and distributed and replicated with little or no control. I can assure you that would be a nightmare of vast proportions. Like closing the barn after a billion cows already escaped.