This paper studies an attacker against a cyber-physical system (CPS) whose goal is to move the state of a CPS to a target state while ensuring that his or her probability of being detected does not exceed a given bound. The attacker's probability of being detected is related to the non-negative bias induced by his or her attack on the CPS's detection statistic. We formulate a linear quadratic cost function that captures the attacker's control goal and establish constraints on the induced bias that reflect the attacker's detection-avoidance objectives. When the attacker is constrained to be detected at the false alarm rate of the detector, we show that the optimal attack strategy reduces to a linear feedback of the attacker's state estimate. In the case that the attacker's bias is upper bounded by a positive constant, we provide two algorithms—an optimal algorithm and a suboptimal, less computationally intensive algorithm—to find suitable attack sequences. Finally, we illustrate our attack strategies in numerical examples based on a remotely controlled helicopter under attack.