This paper studies an attacker against a cyber-physical system (CPS) whose goal is to move the state of a CPS to a target state while ensuring that his or her probability of being detected does not exceed a given bound. The attacker's probability of being detected is related to the nonnegative bias induced by his or her attack on the CPS' detection statistic. We formulate a linear quadratic cost function that captures the attacker's control goal and establish constraints on the induced bias that reflect the attacker's detection-avoidance objectives. When the attacker is constrained to be detected at the false-alarm rate of the detector, we show that the optimal attack strategy reduces to a linear feedback of the attacker's state estimate. In the case that the attacker's bias is upper bounded by a positive constant, we provide two algorithms -- an optimal algorithm and a sub-optimal, less computationally intensive algorithm -- to find suitable attack sequences. Finally, we illustrate our attack strategies in numerical examples based on a remotely-controlled helicopter under attack.