In this paper, we analyze the vulnerabilities due to novel integrity cyber attacks in CPS, which are modeled as a stochastic Linear Time-Invariant (LTI) system equipped with a Kalman filter, an LQG controller, and a χ2 failure detector from an attacker's standpoint. The attacks are designed by a sophisticated attacker so that the measurement residual of the compromised system coincides with the healthy one. Additionally, the attacked system state is manipulated to an objective which is designed by the adversary. We first show an existence condition and a design procedure of the stealthy attacks using invariant subspace property. Then, we formulate the stealthy attacks with a malicious objective, and the condition of the feasible objectives is derived. Finally, the dangerousness of the attacks is verified through a numerical simulation.