The Internet of things (IoT) will make it possible to interconnect and simultaneously control distributed electrical loads. Various technical and regulatory concerns have been raised that IoT-operated loads are being deployed without appropriately considering and systematically addressing potential cyber-security challenges. Hence, one can envision a hypothetical scenario when an ensemble of IoT-controlled loads can be hacked with malicious intentions of compromising operations of the electrical grid. Under this scenario, the attacker would use geographically distributed IoT-controlled loads to alternate their net power injections into the electrical grid in such a way that may disrupt normal grid operations. This paper presents a modeling framework to analyze grid impacts of distributed cyber-attacks on IoT-controlled loads. This framework is used to demonstrate how a hypothetical distributed cyber-attack propagates from the distribution electrical grid, where IoT-controlled loads are expected to be installed, to the transmission electrical grid. The techno-economic interactions between the distribution and transmission electrical grids are accounted for by means of bilevel optimization. The case study is carried out on the modified versions of the 3-area IEEE Reliability Test System (RTS) and the IEEE 13-bus distribution feeder. Our numerical results demonstrate that the severity of such attacks depends on the penetration level of IoT-controlled loads and the strategy of the attacker.