Read Dennis Fisher explain how RiskIQ security researchers have found the majority of command and control servers used by the SolarWinds hackers on Duo Security Blog :
Months after the initial revelation of the intrusion at SolarWinds, researchers have discovered that the footprint of the infrastructure used by the attackers is much larger than previously thought, a finding that may lead to the eventual discovery of new victims in the future. The findings from RiskIQ show that APT29, also known as Cozy Bear, spent quite a bit of time and energy setting up the infrastructure in such a way that it could avoid creating any recognizable patterns for researchers to latch on to.
Read his full article here.
For more see : RiskIQ.