The integration of sensing and information technology renders the power grid susceptible to cyber-attacks. To understand how vulnerable the state estimator is, we study its behavior under the worst attacks possible. A general false data injection attack (FDIA) based on the AC model is formulated, where the attacker manipulates sensor measurements to mislead the system operator to make decisions based on a falsified state. To stage such an attack, the optimization problem incorporates constraints of limited resources (allowing only a limited number of measurements to be altered), and stealth operation (ensuring the cyber hack cannot be identified by the bad data detection algorithm). Due to the nonlinear AC power flow model and combinatorial selection of compromised sensors, the problem is nonconvex and cannot be solved in polynomial time; however, it is shown that convexification of the original problem based on a semidefinite programming (SDP) relaxation and a sparsity penalty is able to recover a near-optimal solution. This represents the first study to solve the AC-based FDIA. Simulations on a 30-bus system illustrate that the proposed attack requires only sparse sensor manipulation and remains stealthy from the residual-based bad data detection mechanism. In light of the analysis, this study raises new challenges on grid defense mechanism and attack detection strategy.