In a blog post, the company's Team Atlas said the other factor that could have blocked the progress of the investigation beyond the second, more targeted stage was the attackers' skill in not leaving a trail of patterns that were normally identified and tracked by threat hunters.
On 16 April, the US Government alleged that the Russian security agency known as the Foreign Intelligence Service was responsible for the attack.
To date, no cyber security company, including FireEye, the firm that first made the SolarWinds compromise public, has attributed the attack to any country.
RiskIQ claimed while the espionage campaign itself was progressing, "public-facing research into the campaign is not".
"That’s in part because piecing together what happened so far is exceptionally challenging," the company's researchers wrote. "The threat actor, identified by the US government as APT29, but tracked in the private industry as UNC2452, took great pains to avoid creating the type of patterns that make tracing them easy.
"For months, the Russians successfully compromised or blinded the very security companies and government agencies most likely to pursue them."
A large part of the RiskIQ post covered material that has already been ventilated, with companies like FireEye, Microsoft and Volexity issuing briefs since the initial exposure by FireEye.
The post said a review of all the previously published indicators of compromise had led to its researchers noticing that a majority of SSL certificates used were issued by Sectigo (formerly Comodo CA).
"Additionally, they were all of a particular class called 'PositiveSSL' which costs about US$11 (A$14.3) a year per domain," the post said. "The issue date of the certificates otherwise known as 'Not Before' in x509 terminology was often more than a week prior to when the certificate itself was deployed in the wild. Or in several cases more than 40 days later."
However, a search for all the certificates issued by Sectigo brought up 334,053 results and this was too many to be useful.
The RiskIQ team then looked at finding patterns from HTTP banner responses using previously identified domains and IP addresses, as Volexity had done.
Collating this data, RiskIQ said it had managed to find a number of additional domains that could be connected to the attacks.