Why Salt Typhoon currently cannot be removed.

The persistence kit doesn’t depend on the entry vector — patches don’t evict it.

Cisco Talos’s incident-response writeup4 documents an inventory of persistence techniques the group runs once inside a Cisco IOS XE / IOS / NX-OS device. Each survives patching the CVE that admitted them: once the GRE tunnel and the alternate-port sshd and the modified AAA server and the rotated SNMP community are in place, removing them requires touching the device’s running configuration line by line, not pushing an image update.

ROMMONkit-class persistence cannot be defender-validated.

Per MITRE ATT&CK technique T1542.004 (Pre-OS Boot: ROMMONkit),5 adversaries can overwrite the ROMMON image with malicious code that operates before the operating system loads, providing persistence “in a way that may be difficult to detect.” Cisco’s IOS XE factory-reset all secure command on 17.18.1a or later clears SPI NOR FLASH, config-register, and ROMMON variables6 — but there is no documented means for defenders to independently validate ROMMON cleanliness without vendor support. On older platforms where the secure reset semantics don’t exist, the device requires physical access for console-cable ROMMON reflash, or replacement. The defender cannot prove the bootloader is clean from the network side — only the vendor can.

The credential layer is its own multi-year program — CVE patches don’t rotate stolen secrets.

Cisco Talos’s account of investigated incidents is explicit: “In all the other incidents we have investigated to date, the initial access to Cisco devices was determined to be gained through the threat actor obtaining legitimate victim login credentials.”4 Anne Neuberger’s December 2024 White House briefing put the credential-surface compromise at roughly 100,000 router admin accounts.7 Patching a CVE does not rotate a stolen credential. Rotating ~100,000 admin credentials at carrier scale, across acquired legacy networks, with TACACS+ / RADIUS shared secrets and BGP/OSPF authentication keys and SSH host keypairs and SNMPv3 user credentials, is its own multi-year operational program. Until it is run end-to-end — including the AAA-server side, including the service accounts used by mgmt tooling — the stolen credentials remain usable. The single-CVE framing of removal misses the entire credential surface.

Eviction must be simultaneous across the affected estate — partial response alerts the actor.

The August 2025 CISA / NSA / FBI joint advisory AA25-239A states the operational constraint directly: “Where possible, gaining a full understanding of the APT actors’ extent of access into networks followed by simultaneous measures to remove them may be necessary to achieve a complete and lasting eviction. Partial response actions may alert the actors to an ongoing investigation and jeopardize the ability to conduct full eviction.”8

For a tier-1 carrier, the affected estate is hundreds to thousands of routers across thousands of POPs distributed across every U.S. state and territory. The cut window has to be coordinated across carrier ops, vendor TAC, federal IR, and (where lawful intercept is in scope) FBI / FCC liaison — over an out-of-band comms plan, because admin email and chat are presumed compromised. No tier-1 carrier maintains the standing field-engineering capacity for a nationwide simultaneous cut window as a baseline. The capacity has to be assembled, which means scheduling, which means coordination, which is exactly the planning surface the joint advisory says must precede the cut.

The SS7 / Diameter signaling layer can’t be patched out — it’s an architecture problem measured in years.

SS7 (legacy 2G/3G) and Diameter (4G/5G control plane) are the protocols carriers use for call setup, SMS delivery, subscriber location, and roaming. They lack origin authentication by design; any peer connected to the SS7 international transit network can issue queries that the receiving switch will honor. Salt-Typhoon-class abuse at this layer doesn’t look like “a CVE on a router” — it looks like fraudulent signaling sources inserted at HLR / HSS, MSC, MME, or PGW boundaries. Defenses are architectural: SS7 firewalls (Mavenir, Adaptive Mobile, Cellusys) at the international interconnect, Diameter Edge Agent screening per GSMA FS.11 / FS.19, partner-validation policies at the IPX boundary, and ultimately migration to 5G Standalone’s Service-Based Architecture. Per public reporting, this is “years (and billions of dollars) to replace.”2 Until then, the protocol layer remains a parallel persistence path independent of the IP-layer device fleet.

The evidence you would need to confirm eviction is the evidence the actor erased.

The December 2024 CISA / FBI / NSA joint advisory documents that Salt Typhoon erased logs.8 Telecoms weren’t keeping adequate logs to begin with. Network devices rarely run EDR; firmware implants live below the layer most security tooling can see. You cannot evict what you cannot detect, and you cannot detect what your tools can’t reach. “We don’t see Salt Typhoon on our network” is consistent with both successful eviction and continued residence with successful evasion — the persistence kit explicitly includes Guest Shell processes that don’t surface in standard auditing commands.4 A claim of removal grounded in absence of alerts is not the same as a claim grounded in positive evidence.

There is no shared definition of “evicted” — carriers and the government use the same word to mean incompatible things.

In December 2024, AT&T, Verizon, and Lumen publicly stated they had “purged” or “contained” the breach.2 In the same week, CISA and the FBI publicly said Salt Typhoon was still active in U.S. telecom networks.1 Both sides were speaking truthfully because “purged” / “contained” / “evicted” are not defined terms with auditable criteria attached. When the Senate Commerce Committee demanded documentation supporting the carrier claims, AT&T and Verizon failed to provide any.3 A removal claim that depends on the carrier’s self-vocabulary is structurally unverifiable; the absence of agreed criteria is a precondition for the December-2024 dispute to keep replaying. See the Closure page for the six-criterion definition Trenchwork proposes.

The FCC rolled back its only enforceable post-Salt-Typhoon rule in November 2025.

After Salt Typhoon, the FCC adopted Communications-Service-Provider Cybersecurity Reporting Requirements — the lone enforceable federal rule with teeth. In November 2025 the FCC partially rolled those rules back, under FCC Chair Brendan Carr; the FCC’s own draft ruling conceded that the underlying vulnerabilities “are still being exploited.”23 Without an enforceable reporting baseline, every device-level and architectural control a carrier might deploy remains best-effort rather than auditable. Removal is not just a technical problem — it is a regulatory problem whose enforcement layer is currently going in the wrong direction.

The National Guard breach demonstrates that the target set is expanding, not stabilizing.

Per a Department of Homeland Security memo dated June 11, 2025 — obtained by FOIA, first reported by NBC News — Salt Typhoon “extensively compromised a U.S. state’s Army National Guard network” from March through December 2024.9

The exfiltrated data is itself a follow-on weapon. Admin credentials and network diagrams pre-position the actor for the next intrusion. In fourteen states, Army National Guard units are integrated with state fusion centers responsible for cyber threat-sharing — the loot from one unit maps directly onto the cybersecurity partners of every other unit. Removal is harder this year than last because the surface to be cleaned is larger this year than last.