The extent of the hackers' alleged intrusions was revealed on Monday (US time) in a 22-page indictment handed down by a grand jury in New Jersey against 28-year-old Englishman Lauri Love.
Love was arrested at his home in Stradishall, England, on Friday and has been charged with accessing a US department or agency computer without authorisation.
"As part of their alleged scheme, they stole military data and personal identifying information belonging to servicemen and women," US Attorney Paul J Fishman said.
"Such conduct endangers the security of our country and is an affront to those who serve."
US authorities declined to discuss the identities of the two Australians and the Swede or whether they had been arrested or will be arrested and extradited to the US.
In Love's indictment the two Australians are referred to as Co-conspirator 1 (CC-1) and Co-conspirator 2 (CC-2). CC-1 resided "in or near" NSW and CC-2 resided "in or near Australia", according to the indictment.
"This is still an ongoing investigation and there is really not more information on the public record to speak about it," said Rebekah Carmichael, spokeswoman for the US Attorney's Office.
It is alleged Love and his co-conspirators sought out and then hacked thousands of computer systems.
Once inside compromised networks they placed hidden "shells" or "back doors" within the networks, allowing them to return at a later date and steal confidential data, authorities said.
The indictment includes alleged online conversations the hackers had on what they believed were secure chat forums.
In one conversation after a NASA database was accessed in July, Love allegedly wrote: "we own nasa". CC-2 replied: "supa".
Love allegedly boasted they had "10 subdomains of nasa.gov" and "I think we can do some hilarious stuff with it".
But, CC-2, mindful of not getting caught, allegedly wrote: "but server must have no link to you or us when done we kill it".
After hacking the Missile Defence Agency in October last year, Love pasted into a chat log samples of stolen data, including account user names, email addresses and telephone numbers of various individuals, authorities allege.
Prosecutors allege the hackers found vulnerabilities in structured query language, or SQL, databases to infiltrate US government computer networks. They also allegedly exploited vulnerabilities in a web application platform US agencies used known as Coldfusion.
If convicted, Love faces a maximum potential penalty of five years in prison.
smh.com.au 29 Oct 2013